outposts/proxy: add header to prevent redirects

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-01-14 22:18:22 +01:00
parent 0ddcefce80
commit d31e566873
No known key found for this signature in database
4 changed files with 25 additions and 6 deletions

View File

@ -8,9 +8,6 @@ import (
"goauthentik.io/internal/outpost/proxyv2/constants"
)
const HeaderAuthorization = "Authorization"
const AuthBearer = "Bearer "
// checkAuth Get claims which are currently in session
// Returns an error if the session can't be loaded or the claims can't be parsed/type-cast
func (a *Application) checkAuth(rw http.ResponseWriter, r *http.Request) (*Claims, error) {
@ -70,7 +67,7 @@ func (a *Application) getClaimsFromSession(r *http.Request) *Claims {
}
func (a *Application) getClaimsFromCache(r *http.Request) *Claims {
key := r.Header.Get(HeaderAuthorization)
key := r.Header.Get(constants.HeaderAuthorization)
item := a.authHeaderCache.Get(key)
if item != nil && !item.IsExpired() {
v := item.Value()
@ -88,12 +85,12 @@ func (a *Application) saveAndCacheClaims(rw http.ResponseWriter, r *http.Request
return nil, err
}
key := r.Header.Get(HeaderAuthorization)
key := r.Header.Get(constants.HeaderAuthorization)
item := a.authHeaderCache.Get(key)
// Don't set when the key is already found
if item == nil {
a.authHeaderCache.Set(key, claims, time.Second*60)
}
r.Header.Del(HeaderAuthorization)
r.Header.Del(constants.HeaderAuthorization)
return &claims, nil
}

View File

@ -1,6 +1,7 @@
package application
import (
"fmt"
"net/http"
"net/url"
"path"
@ -34,6 +35,16 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
if err != nil {
a.log.WithError(err).Warning("failed to decode session")
}
if r.Header.Get(constants.HeaderNoRedirect) == "true" {
er := a.errorTemplates.Execute(rw, ErrorPageData{
Title: "Unauthenticated",
Message: fmt.Sprintf("Due to '%s' being set, no redirect is performed.", constants.HeaderNoRedirect),
ProxyPrefix: "/outpost.goauthentik.io",
})
if er != nil {
http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
}
}
redirectUrl := urlPathSet(a.proxyConfig.ExternalHost, r.URL.Path)

View File

@ -6,3 +6,8 @@ const SessionOAuthState = "oauth_state"
const SessionClaims = "claims"
const SessionRedirect = "redirect"
const HeaderAuthorization = "Authorization"
const HeaderNoRedirect = "X-Authentik-No-Redirect"
const AuthBearer = "Bearer "

View File

@ -2,6 +2,8 @@
title: Header authentication
---
## Sending authentication
### Send HTTP Basic authentication
Proxy providers have the option to _Send HTTP-Basic Authentication_ to the upstream authentication. When the option in the provider is enabled, two attributes must be specified. These attributes are the keys of values which can be saved on a user or group level that contain the credentials.
@ -17,6 +19,10 @@ These credentials are only retrieved when the user authenticates to the proxy.
If the user does not have a matching attribute, authentik falls back to using the user's email address as username, and the password will be empty if not found.
## Receiving authentication
It is recommended to set the `X-Authentik-No-Redirect` header to `true` to prevent redirects when sending requests via the below methods. This prevents additional load when unauthenticated requests are retried and all get redirected to a flow executor.
### Receiving HTTP Basic authentication
:::info