package application

import (

	sentryhttp ""
	log ""

type Application struct {
	Host                 string
	Cert                 *tls.Certificate
	UnauthenticatedRegex []*regexp.Regexp

	endpoint      OIDCEndpoint
	oauthConfig   oauth2.Config
	tokenVerifier *oidc.IDTokenVerifier
	outpostName   string
	sessionName   string

	sessions             sessions.Store
	proxyConfig          api.ProxyOutpostConfig
	httpClient           *http.Client
	publicHostHTTPClient *http.Client

	log *log.Entry
	mux *mux.Router
	ak  *ak.APIController
	srv Server

	errorTemplates  *template.Template
	authHeaderCache *ttlcache.Cache[string, Claims]

	isEmbedded bool

type Server interface {
	API() *ak.APIController
	Apps() []*Application
	CryptoStore() *ak.CryptoStore

func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server) (*Application, error) {
	muxLogger := log.WithField("logger", "authentik.outpost.proxyv2.application").WithField("name", p.Name)

	externalHost, err := url.Parse(p.ExternalHost)
	if err != nil {
		return nil, fmt.Errorf("failed to parse URL, skipping provider")

	var ks oidc.KeySet
	if contains(p.OidcConfiguration.IdTokenSigningAlgValuesSupported, "HS256") {
		ks = hs256.NewKeySet(*p.ClientSecret)
	} else {
		ctx := context.WithValue(context.Background(), oauth2.HTTPClient, c)
		ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri)

	redirectUri, _ := url.Parse(p.ExternalHost)
	redirectUri.Path = path.Join(redirectUri.Path, "/")
	redirectUri.RawQuery = url.Values{
		CallbackSignature: []string{"true"},

	isEmbedded := false
	if m := server.API().Outpost.Managed.Get(); m != nil {
		isEmbedded = *m == ""
	// Configure an OpenID Connect aware OAuth2 client.
	endpoint := GetOIDCEndpoint(

	verifier := oidc.NewVerifier(endpoint.Issuer, ks, &oidc.Config{
		ClientID:             *p.ClientId,
		SupportedSigningAlgs: []string{"RS256", "HS256"},

	oauth2Config := oauth2.Config{
		ClientID:     *p.ClientId,
		ClientSecret: *p.ClientSecret,
		RedirectURL:  redirectUri.String(),
		Endpoint:     endpoint.Endpoint,
		Scopes:       p.ScopesToRequest,
	mux := mux.NewRouter()

	// Save cookie name, based on hashed client ID
	h := sha256.New()
	bs := string(h.Sum([]byte(*p.ClientId)))
	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])

	a := &Application{
		Host:                 externalHost.Host,
		log:                  muxLogger,
		outpostName:          server.API().Outpost.Name,
		sessionName:          sessionName,
		endpoint:             endpoint,
		oauthConfig:          oauth2Config,
		tokenVerifier:        verifier,
		proxyConfig:          p,
		httpClient:           c,
		publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)),
		mux:                  mux,
		errorTemplates:       templates.GetTemplates(),
		ak:                   server.API(),
		authHeaderCache:      ttlcache.New(ttlcache.WithDisableTouchOnHit[string, Claims]()),
		srv:                  server,
		isEmbedded:           isEmbedded,
	go a.authHeaderCache.Start()
	a.sessions = a.getStore(p, externalHost)
	mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
		c := a.getClaimsFromSession(r)
		if c == nil {
			return l
		if c.PreferredUsername != "" {
			return l.WithField("user", c.PreferredUsername)
		return l.WithField("user", c.Sub)
	mux.Use(func(inner http.Handler) http.Handler {
		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
			c := a.getClaimsFromSession(r)
			user := ""
			if c != nil {
				user = c.PreferredUsername
				hub := sentry.GetHubFromContext(r.Context())
				if hub == nil {
					hub = sentry.CurrentHub()
					Username:  user,
					ID:        c.Sub,
					IPAddress: r.RemoteAddr,
			before := time.Now()
			inner.ServeHTTP(rw, r)
			elapsed := time.Since(before)
				"outpost_name": a.outpostName,
				"type":         "app",
				"method":       r.Method,
				"host":         web.GetHost(r),
			}).Observe(float64(elapsed) / float64(time.Second))
				"outpost_name": a.outpostName,
				"type":         "app",
				"method":       r.Method,
				"host":         web.GetHost(r),
	if server.API().GlobalConfig.ErrorReporting.Enabled {
	mux.Use(func(inner http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
				a.log.Debug("handling OAuth Callback from querystring signature")
				a.handleAuthCallback(w, r)
			} else if strings.EqualFold(r.URL.Query().Get(LogoutSignature), "true") {
				a.log.Debug("handling OAuth Logout from querystring signature")
				a.handleSignOut(w, r)
			} else {
				inner.ServeHTTP(w, r)

	mux.HandleFunc("/", a.handleAuthStart)
	mux.HandleFunc("/", a.handleAuthCallback)
	mux.HandleFunc("/", a.handleSignOut)
	switch *p.Mode {
		err = a.configureProxy()
		err = a.configureForward()
	if err != nil {
		return nil, fmt.Errorf("failed to configure application mode: %w", err)

	if kp := p.Certificate.Get(); kp != nil {
		err := server.CryptoStore().AddKeypair(*kp)
		if err != nil {
			return nil, fmt.Errorf("failed to initially fetch certificate: %w", err)
		a.Cert = server.CryptoStore().Get(*kp)

	if *p.SkipPathRegex != "" {
		a.UnauthenticatedRegex = make([]*regexp.Regexp, 0)
		for _, regex := range strings.Split(*p.SkipPathRegex, "\n") {
			re, err := regexp.Compile(regex)
			if err != nil {
				//TODO: maybe create event for this?
				a.log.WithError(err).Warning("failed to compile SkipPathRegex")
			} else {
				a.UnauthenticatedRegex = append(a.UnauthenticatedRegex, re)
	return a, nil

func (a *Application) Mode() api.ProxyMode {
	return *a.proxyConfig.Mode

func (a *Application) HasQuerySignature(r *http.Request) bool {
	if strings.EqualFold(r.URL.Query().Get(CallbackSignature), "true") {
		return true
	if strings.EqualFold(r.URL.Query().Get(LogoutSignature), "true") {
		return true
	return false

func (a *Application) ProxyConfig() api.ProxyOutpostConfig {
	return a.proxyConfig

func (a *Application) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
	a.mux.ServeHTTP(rw, r)

func (a *Application) Stop() {

func (a *Application) handleSignOut(rw http.ResponseWriter, r *http.Request) {
	redirect := a.endpoint.EndSessionEndpoint
	s, err := a.sessions.Get(r, a.SessionName())
	if err != nil {
		a.redirectToStart(rw, r)
	c, exists := s.Values[constants.SessionClaims]
	if c == nil && !exists {
		a.redirectToStart(rw, r)
	cc := c.(Claims)
	uv := url.Values{
		"id_token_hint": []string{cc.RawToken},
	redirect += "?" + uv.Encode()
	err = a.Logout(r.Context(), cc.Sub)
	if err != nil {
		a.log.WithError(err).Warning("failed to logout of other sessions")
	http.Redirect(rw, r, redirect, http.StatusFound)