outposts/proxy: fix error handling, remove requirement for profile/etc scopes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/proxyv2/application/application.go

@@ -104,23 +104,18 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 	}
 	a.sessions = a.getStore(p, externalHost)
 	mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
-		s, err := a.sessions.Get(r, constants.SessionName)
+		c := a.getClaimsFromSession(r)
-		if err != nil {
+		if c == nil {
 			return l
 		}
-		claims, ok := s.Values[constants.SessionClaims]
+		if c.PreferredUsername != "" {
-		if claims == nil || !ok {
+			return l.WithField("request_username", c.PreferredUsername)
-			return l
 		}
-		c, ok := claims.(Claims)
+		return l.WithField("request_username", c.Sub)
-		if !ok {
-			return l
-		}
-		return l.WithField("request_username", c.PreferredUsername)
 	}))
 	mux.Use(func(inner http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-			c, _ := a.checkAuth(rw, r)
+			c := a.getClaimsFromSession(r)
 			user := ""
 			if c != nil {
 				user = c.PreferredUsername

internal/outpost/proxyv2/application/auth_bearer.go

@@ -52,10 +52,6 @@ func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenInt
 		a.log.Warning("token is not active")
 		return nil
 	}
-	if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
-		a.log.Error("token missing openid or profile scope")
-		return nil
-	}
 	intro.RawToken = token
 	a.log.Trace("successfully introspected bearer token")
 	return &intro

internal/outpost/proxyv2/application/mode_common.go

@@ -29,6 +29,9 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
 	headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
 
+	if c.Proxy == nil {
+		return
+	}
 	userAttributes := c.Proxy.UserAttributes
 	// Attempt to set basic auth based on user's attributes
 	if *a.proxyConfig.BasicAuthEnabled {

internal/outpost/proxyv2/application/mode_proxy.go

@@ -33,6 +33,13 @@ func (a *Application) configureProxy() error {
 	rp.ErrorHandler = a.newProxyErrorHandler()
 	rp.ModifyResponse = a.proxyModifyResponse
 	a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
+		defer func() {
+			err := recover()
+			if err == nil || err == http.ErrAbortHandler {
+				return
+			}
+			log.WithError(err.(error)).Error("recover in reverse proxy")
+		}()
 		claims, err := a.checkAuth(rw, r)
 		if claims == nil && a.IsAllowlisted(r.URL) {
 			a.log.Trace("path can be accessed without authentication")
@@ -45,13 +52,6 @@ func (a *Application) configureProxy() error {
 		}
 		before := time.Now()
 		rp.ServeHTTP(rw, r)
-		defer func() {
-			err := recover()
-			if err == nil || err == http.ErrAbortHandler {
-				return
-			}
-			log.WithError(err.(error)).Error("recover in reverse proxy")
-		}()
 		after := time.Since(before)
 
 		metrics.UpstreamTiming.With(prometheus.Labels{
@@ -68,9 +68,9 @@ func (a *Application) configureProxy() error {
 func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 	return func(r *http.Request) {
 		r.Header.Set("X-Forwarded-Host", r.Host)
-		claims, _ := a.checkAuth(nil, r)
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
+		claims := a.getClaimsFromSession(r)
 		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
 			u, err := url.Parse(claims.Proxy.BackendOverride)
 			if err != nil {
@@ -85,6 +85,6 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 }
 
 func (a *Application) proxyModifyResponse(res *http.Response) error {
-	res.Header.Set("X-Powered-By", "authentik_proxy2")
+	res.Header.Set("X-Powered-By", "goauthentik.io")
 	return nil
 }