From 9f431396c0ec313125210913aad9b18b0151b0df Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 19 Feb 2023 17:35:25 +0100 Subject: [PATCH] providers/proxy: ensure issuer is correct when browser url override is set Signed-off-by: Jens Langhammer #4715 --- internal/config/struct.go | 7 ++++--- internal/outpost/proxyv2/application/endpoint.go | 15 ++++++++------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/internal/config/struct.go b/internal/config/struct.go index ec3411ada..df3cf3df5 100644 --- a/internal/config/struct.go +++ b/internal/config/struct.go @@ -18,9 +18,10 @@ type Config struct { // Outpost specific config // These are only relevant for proxy/ldap outposts, and cannot be set via YAML // They are loaded via this config loader to support file:// schemas - AuthentikHost string `env:"AUTHENTIK_HOST"` - AuthentikToken string `env:"AUTHENTIK_TOKEN"` - AuthentikInsecure bool `env:"AUTHENTIK_INSECURE"` + AuthentikHost string `env:"AUTHENTIK_HOST"` + AuthentikHostBrowser string `env:"AUTHENTIK_HOST_BROWSER"` + AuthentikToken string `env:"AUTHENTIK_TOKEN"` + AuthentikInsecure bool `env:"AUTHENTIK_INSECURE"` } type RedisConfig struct { diff --git a/internal/outpost/proxyv2/application/endpoint.go b/internal/outpost/proxyv2/application/endpoint.go index 28735db14..de6ec3662 100644 --- a/internal/outpost/proxyv2/application/endpoint.go +++ b/internal/outpost/proxyv2/application/endpoint.go @@ -2,11 +2,11 @@ package application import ( "net/url" - "os" "strings" log "github.com/sirupsen/logrus" "goauthentik.io/api/v3" + "goauthentik.io/internal/config" "golang.org/x/oauth2" ) @@ -33,11 +33,12 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo endUrl := p.OidcConfiguration.EndSessionEndpoint tokenUrl := p.OidcConfiguration.TokenEndpoint jwksUrl := p.OidcConfiguration.JwksUri - if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" { - host := os.Getenv("AUTHENTIK_HOST") - authUrl = strings.ReplaceAll(authUrl, host, browserHost) - endUrl = strings.ReplaceAll(endUrl, host, browserHost) - jwksUrl = strings.ReplaceAll(jwksUrl, host, browserHost) + issuer := p.OidcConfiguration.Issuer + if config.Get().AuthentikHostBrowser != "" { + authUrl = strings.ReplaceAll(authUrl, authentikHost, config.Get().AuthentikHostBrowser) + endUrl = strings.ReplaceAll(endUrl, authentikHost, config.Get().AuthentikHostBrowser) + jwksUrl = strings.ReplaceAll(jwksUrl, authentikHost, config.Get().AuthentikHostBrowser) + issuer = strings.ReplaceAll(issuer, authentikHost, config.Get().AuthentikHostBrowser) } ep := OIDCEndpoint{ Endpoint: oauth2.Endpoint{ @@ -48,7 +49,7 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bo EndSessionEndpoint: endUrl, JwksUri: jwksUrl, TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint, - Issuer: p.OidcConfiguration.Issuer, + Issuer: issuer, } if !embedded { return ep