outposts: fix oauth state when using signature routing (#3616)
* fix oauth state when using signature routing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more retires Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
9fb5092fdc
commit
47daaf969a
|
@ -37,9 +37,11 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
|
|||
http.Error(rw, "configuration error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
tr := r.Clone(r.Context())
|
||||
tr.URL = fwd
|
||||
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
|
||||
a.log.Debug("handling OAuth Callback from querystring signature")
|
||||
a.handleAuthCallback(rw, r)
|
||||
a.handleAuthCallback(rw, tr)
|
||||
return
|
||||
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
|
||||
a.log.Debug("handling OAuth Logout from querystring signature")
|
||||
|
@ -57,8 +59,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
|
|||
a.log.Trace("path can be accessed without authentication")
|
||||
return
|
||||
}
|
||||
tr := r.Clone(r.Context())
|
||||
tr.URL = fwd
|
||||
a.handleAuthStart(rw, r)
|
||||
// set the redirect flag to the current URL we have, since we redirect
|
||||
// to a (possibly) different domain, but we want to be redirected back
|
||||
|
@ -88,9 +88,11 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
|
|||
http.Error(rw, "configuration error", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
tr := r.Clone(r.Context())
|
||||
tr.URL = fwd
|
||||
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
|
||||
a.log.Debug("handling OAuth Callback from querystring signature")
|
||||
a.handleAuthCallback(rw, r)
|
||||
a.handleAuthCallback(rw, tr)
|
||||
return
|
||||
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
|
||||
a.log.Debug("handling OAuth Logout from querystring signature")
|
||||
|
@ -108,8 +110,6 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
|
|||
a.log.Trace("path can be accessed without authentication")
|
||||
return
|
||||
}
|
||||
tr := r.Clone(r.Context())
|
||||
tr.URL = fwd
|
||||
a.handleAuthStart(rw, r)
|
||||
// set the redirect flag to the current URL we have, since we redirect
|
||||
// to a (possibly) different domain, but we want to be redirected back
|
||||
|
|
|
@ -78,7 +78,7 @@ func (a *Application) handleAuthCallback(rw http.ResponseWriter, r *http.Request
|
|||
http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound)
|
||||
return
|
||||
}
|
||||
claims, err := a.redeemCallback(r, state.([]string))
|
||||
claims, err := a.redeemCallback(state.([]string), r.URL, r.Context())
|
||||
if err != nil {
|
||||
a.log.WithError(err).Warning("failed to redeem code")
|
||||
rw.WriteHeader(400)
|
||||
|
|
|
@ -3,14 +3,14 @@ package application
|
|||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims, error) {
|
||||
state := r.URL.Query().Get("state")
|
||||
func (a *Application) redeemCallback(states []string, u *url.URL, c context.Context) (*Claims, error) {
|
||||
state := u.Query().Get("state")
|
||||
if len(states) < 1 {
|
||||
return nil, fmt.Errorf("no states")
|
||||
}
|
||||
|
@ -29,12 +29,12 @@ func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims,
|
|||
return nil, fmt.Errorf("invalid state")
|
||||
}
|
||||
|
||||
code := r.URL.Query().Get("code")
|
||||
code := u.Query().Get("code")
|
||||
if code == "" {
|
||||
return nil, fmt.Errorf("blank code")
|
||||
}
|
||||
|
||||
ctx := context.WithValue(r.Context(), oauth2.HTTPClient, a.httpClient)
|
||||
ctx := context.WithValue(c, oauth2.HTTPClient, a.httpClient)
|
||||
// Verify state and errors.
|
||||
oauth2Token, err := a.oauthConfig.Exchange(ctx, code)
|
||||
if err != nil {
|
||||
|
|
|
@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
|||
|
||||
COPY --from=builder /go/ldap /
|
||||
|
||||
HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||
HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||
|
||||
EXPOSE 3389 6636 9300
|
||||
|
||||
|
|
|
@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt
|
|||
COPY --from=web-builder /static/dist/ /web/dist/
|
||||
COPY --from=web-builder /static/authentik/ /web/authentik/
|
||||
|
||||
HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||
HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||
|
||||
EXPOSE 9000 9300 9443
|
||||
|
||||
|
|
Reference in New Issue