outposts: fix oauth state when using signature routing (#3616)
* fix oauth state when using signature routing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more retires Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
9fb5092fdc
commit
47daaf969a
|
@ -37,9 +37,11 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
|
||||||
http.Error(rw, "configuration error", http.StatusInternalServerError)
|
http.Error(rw, "configuration error", http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
tr := r.Clone(r.Context())
|
||||||
|
tr.URL = fwd
|
||||||
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
|
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
|
||||||
a.log.Debug("handling OAuth Callback from querystring signature")
|
a.log.Debug("handling OAuth Callback from querystring signature")
|
||||||
a.handleAuthCallback(rw, r)
|
a.handleAuthCallback(rw, tr)
|
||||||
return
|
return
|
||||||
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
|
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
|
||||||
a.log.Debug("handling OAuth Logout from querystring signature")
|
a.log.Debug("handling OAuth Logout from querystring signature")
|
||||||
|
@ -57,8 +59,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
|
||||||
a.log.Trace("path can be accessed without authentication")
|
a.log.Trace("path can be accessed without authentication")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
tr := r.Clone(r.Context())
|
|
||||||
tr.URL = fwd
|
|
||||||
a.handleAuthStart(rw, r)
|
a.handleAuthStart(rw, r)
|
||||||
// set the redirect flag to the current URL we have, since we redirect
|
// set the redirect flag to the current URL we have, since we redirect
|
||||||
// to a (possibly) different domain, but we want to be redirected back
|
// to a (possibly) different domain, but we want to be redirected back
|
||||||
|
@ -88,9 +88,11 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
|
||||||
http.Error(rw, "configuration error", http.StatusInternalServerError)
|
http.Error(rw, "configuration error", http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
tr := r.Clone(r.Context())
|
||||||
|
tr.URL = fwd
|
||||||
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
|
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
|
||||||
a.log.Debug("handling OAuth Callback from querystring signature")
|
a.log.Debug("handling OAuth Callback from querystring signature")
|
||||||
a.handleAuthCallback(rw, r)
|
a.handleAuthCallback(rw, tr)
|
||||||
return
|
return
|
||||||
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
|
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
|
||||||
a.log.Debug("handling OAuth Logout from querystring signature")
|
a.log.Debug("handling OAuth Logout from querystring signature")
|
||||||
|
@ -108,8 +110,6 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
|
||||||
a.log.Trace("path can be accessed without authentication")
|
a.log.Trace("path can be accessed without authentication")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
tr := r.Clone(r.Context())
|
|
||||||
tr.URL = fwd
|
|
||||||
a.handleAuthStart(rw, r)
|
a.handleAuthStart(rw, r)
|
||||||
// set the redirect flag to the current URL we have, since we redirect
|
// set the redirect flag to the current URL we have, since we redirect
|
||||||
// to a (possibly) different domain, but we want to be redirected back
|
// to a (possibly) different domain, but we want to be redirected back
|
||||||
|
|
|
@ -78,7 +78,7 @@ func (a *Application) handleAuthCallback(rw http.ResponseWriter, r *http.Request
|
||||||
http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound)
|
http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
claims, err := a.redeemCallback(r, state.([]string))
|
claims, err := a.redeemCallback(state.([]string), r.URL, r.Context())
|
||||||
if err != nil {
|
if err != nil {
|
||||||
a.log.WithError(err).Warning("failed to redeem code")
|
a.log.WithError(err).Warning("failed to redeem code")
|
||||||
rw.WriteHeader(400)
|
rw.WriteHeader(400)
|
||||||
|
|
|
@ -3,14 +3,14 @@ package application
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"net/http"
|
"net/url"
|
||||||
|
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
"golang.org/x/oauth2"
|
"golang.org/x/oauth2"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims, error) {
|
func (a *Application) redeemCallback(states []string, u *url.URL, c context.Context) (*Claims, error) {
|
||||||
state := r.URL.Query().Get("state")
|
state := u.Query().Get("state")
|
||||||
if len(states) < 1 {
|
if len(states) < 1 {
|
||||||
return nil, fmt.Errorf("no states")
|
return nil, fmt.Errorf("no states")
|
||||||
}
|
}
|
||||||
|
@ -29,12 +29,12 @@ func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims,
|
||||||
return nil, fmt.Errorf("invalid state")
|
return nil, fmt.Errorf("invalid state")
|
||||||
}
|
}
|
||||||
|
|
||||||
code := r.URL.Query().Get("code")
|
code := u.Query().Get("code")
|
||||||
if code == "" {
|
if code == "" {
|
||||||
return nil, fmt.Errorf("blank code")
|
return nil, fmt.Errorf("blank code")
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx := context.WithValue(r.Context(), oauth2.HTTPClient, a.httpClient)
|
ctx := context.WithValue(c, oauth2.HTTPClient, a.httpClient)
|
||||||
// Verify state and errors.
|
// Verify state and errors.
|
||||||
oauth2Token, err := a.oauthConfig.Exchange(ctx, code)
|
oauth2Token, err := a.oauthConfig.Exchange(ctx, code)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
|
||||||
|
|
||||||
COPY --from=builder /go/ldap /
|
COPY --from=builder /go/ldap /
|
||||||
|
|
||||||
HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||||
|
|
||||||
EXPOSE 3389 6636 9300
|
EXPOSE 3389 6636 9300
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt
|
||||||
COPY --from=web-builder /static/dist/ /web/dist/
|
COPY --from=web-builder /static/dist/ /web/dist/
|
||||||
COPY --from=web-builder /static/authentik/ /web/authentik/
|
COPY --from=web-builder /static/authentik/ /web/authentik/
|
||||||
|
|
||||||
HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
|
||||||
|
|
||||||
EXPOSE 9000 9300 9443
|
EXPOSE 9000 9300 9443
|
||||||
|
|
||||||
|
|
Reference in New Issue