providers/proxy: add is_superuser to ak_proxy object, only show full error when superuser

closes #3314

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/proxy/managed.py

@@ -8,7 +8,8 @@ SCOPE_AK_PROXY_EXPRESSION = """
 # which are used for example for the HTTP-Basic Authentication mapping.
 return {
     "ak_proxy": {
-        "user_attributes": request.user.group_attributes(request)
+        "user_attributes": request.user.group_attributes(request),
+        "is_superuser": request.user.is_superuser,
     }
 }"""
 

internal/outpost/proxyv2/application/claims.go

@@ -3,6 +3,7 @@ package application
 type ProxyClaims struct {
 	UserAttributes  map[string]interface{} `json:"user_attributes"`
 	BackendOverride string                 `json:"backend_override"`
+	IsSuperuser     bool                   `json:"is_superuser"`
 }
 
 type Claims struct {

internal/outpost/proxyv2/application/error.go

@@ -20,8 +20,10 @@ func (a *Application) ErrorPage(rw http.ResponseWriter, r *http.Request, err str
 		Message:     "Error proxying to upstream server",
 		ProxyPrefix: "/outpost.goauthentik.io",
 	}
-	if claims != nil && len(err) > 0 {
+	if claims != nil && claims.Proxy.IsSuperuser {
 		data.Message = err
+	} else {
+		data.Message = "Failed to connect to backend."
 	}
 	er := a.errorTemplates.Execute(rw, data)
 	if er != nil {
@@ -34,6 +36,6 @@ func (a *Application) newProxyErrorHandler() func(http.ResponseWriter, *http.Req
 	return func(rw http.ResponseWriter, req *http.Request, proxyErr error) {
 		log.WithError(proxyErr).Warning("Error proxying to upstream server")
 		rw.WriteHeader(http.StatusBadGateway)
-		a.ErrorPage(rw, req, fmt.Sprintf("Error proxying to upstream server: %s", proxyErr.Error()))
+		a.ErrorPage(rw, req, fmt.Sprintf("Error proxying to upstream server: %v", proxyErr))
 	}
 }