outposts/proxy: fix error handling, remove requirement for profile/etc scopes
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
829e49275d
commit
4c45d35507
|
@ -104,23 +104,18 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
|
||||||
}
|
}
|
||||||
a.sessions = a.getStore(p, externalHost)
|
a.sessions = a.getStore(p, externalHost)
|
||||||
mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
|
mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
|
||||||
s, err := a.sessions.Get(r, constants.SessionName)
|
c := a.getClaimsFromSession(r)
|
||||||
if err != nil {
|
if c == nil {
|
||||||
return l
|
|
||||||
}
|
|
||||||
claims, ok := s.Values[constants.SessionClaims]
|
|
||||||
if claims == nil || !ok {
|
|
||||||
return l
|
|
||||||
}
|
|
||||||
c, ok := claims.(Claims)
|
|
||||||
if !ok {
|
|
||||||
return l
|
return l
|
||||||
}
|
}
|
||||||
|
if c.PreferredUsername != "" {
|
||||||
return l.WithField("request_username", c.PreferredUsername)
|
return l.WithField("request_username", c.PreferredUsername)
|
||||||
|
}
|
||||||
|
return l.WithField("request_username", c.Sub)
|
||||||
}))
|
}))
|
||||||
mux.Use(func(inner http.Handler) http.Handler {
|
mux.Use(func(inner http.Handler) http.Handler {
|
||||||
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
c, _ := a.checkAuth(rw, r)
|
c := a.getClaimsFromSession(r)
|
||||||
user := ""
|
user := ""
|
||||||
if c != nil {
|
if c != nil {
|
||||||
user = c.PreferredUsername
|
user = c.PreferredUsername
|
||||||
|
|
|
@ -52,10 +52,6 @@ func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenInt
|
||||||
a.log.Warning("token is not active")
|
a.log.Warning("token is not active")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
|
|
||||||
a.log.Error("token missing openid or profile scope")
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
intro.RawToken = token
|
intro.RawToken = token
|
||||||
a.log.Trace("successfully introspected bearer token")
|
a.log.Trace("successfully introspected bearer token")
|
||||||
return &intro
|
return &intro
|
||||||
|
|
|
@ -29,6 +29,9 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
|
||||||
headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
|
headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
|
||||||
headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
|
headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
|
||||||
|
|
||||||
|
if c.Proxy == nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
userAttributes := c.Proxy.UserAttributes
|
userAttributes := c.Proxy.UserAttributes
|
||||||
// Attempt to set basic auth based on user's attributes
|
// Attempt to set basic auth based on user's attributes
|
||||||
if *a.proxyConfig.BasicAuthEnabled {
|
if *a.proxyConfig.BasicAuthEnabled {
|
||||||
|
|
|
@ -33,6 +33,13 @@ func (a *Application) configureProxy() error {
|
||||||
rp.ErrorHandler = a.newProxyErrorHandler()
|
rp.ErrorHandler = a.newProxyErrorHandler()
|
||||||
rp.ModifyResponse = a.proxyModifyResponse
|
rp.ModifyResponse = a.proxyModifyResponse
|
||||||
a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
|
||||||
|
defer func() {
|
||||||
|
err := recover()
|
||||||
|
if err == nil || err == http.ErrAbortHandler {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.WithError(err.(error)).Error("recover in reverse proxy")
|
||||||
|
}()
|
||||||
claims, err := a.checkAuth(rw, r)
|
claims, err := a.checkAuth(rw, r)
|
||||||
if claims == nil && a.IsAllowlisted(r.URL) {
|
if claims == nil && a.IsAllowlisted(r.URL) {
|
||||||
a.log.Trace("path can be accessed without authentication")
|
a.log.Trace("path can be accessed without authentication")
|
||||||
|
@ -45,13 +52,6 @@ func (a *Application) configureProxy() error {
|
||||||
}
|
}
|
||||||
before := time.Now()
|
before := time.Now()
|
||||||
rp.ServeHTTP(rw, r)
|
rp.ServeHTTP(rw, r)
|
||||||
defer func() {
|
|
||||||
err := recover()
|
|
||||||
if err == nil || err == http.ErrAbortHandler {
|
|
||||||
return
|
|
||||||
}
|
|
||||||
log.WithError(err.(error)).Error("recover in reverse proxy")
|
|
||||||
}()
|
|
||||||
after := time.Since(before)
|
after := time.Since(before)
|
||||||
|
|
||||||
metrics.UpstreamTiming.With(prometheus.Labels{
|
metrics.UpstreamTiming.With(prometheus.Labels{
|
||||||
|
@ -68,9 +68,9 @@ func (a *Application) configureProxy() error {
|
||||||
func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
|
func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
|
||||||
return func(r *http.Request) {
|
return func(r *http.Request) {
|
||||||
r.Header.Set("X-Forwarded-Host", r.Host)
|
r.Header.Set("X-Forwarded-Host", r.Host)
|
||||||
claims, _ := a.checkAuth(nil, r)
|
|
||||||
r.URL.Scheme = ou.Scheme
|
r.URL.Scheme = ou.Scheme
|
||||||
r.URL.Host = ou.Host
|
r.URL.Host = ou.Host
|
||||||
|
claims := a.getClaimsFromSession(r)
|
||||||
if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
|
if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
|
||||||
u, err := url.Parse(claims.Proxy.BackendOverride)
|
u, err := url.Parse(claims.Proxy.BackendOverride)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -85,6 +85,6 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (a *Application) proxyModifyResponse(res *http.Response) error {
|
func (a *Application) proxyModifyResponse(res *http.Response) error {
|
||||||
res.Header.Set("X-Powered-By", "authentik_proxy2")
|
res.Header.Set("X-Powered-By", "goauthentik.io")
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
Reference in New Issue