providers/proxy: use access token (#8022) Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>
This commit is contained in:
parent
8b12c6a01a
commit
afe2621783
|
@ -31,16 +31,11 @@ func (a *Application) redeemCallback(savedState string, u *url.URL, c context.Co
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
// Extract the ID Token from OAuth2 token.
|
jwt := oauth2Token.AccessToken
|
||||||
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
a.log.WithField("jwt", jwt).Trace("access_token")
|
||||||
if !ok {
|
|
||||||
return nil, fmt.Errorf("missing id_token")
|
|
||||||
}
|
|
||||||
|
|
||||||
a.log.WithField("id_token", rawIDToken).Trace("id_token")
|
|
||||||
|
|
||||||
// Parse and verify ID Token payload.
|
// Parse and verify ID Token payload.
|
||||||
idToken, err := a.tokenVerifier.Verify(ctx, rawIDToken)
|
idToken, err := a.tokenVerifier.Verify(ctx, jwt)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
@ -53,6 +48,6 @@ func (a *Application) redeemCallback(savedState string, u *url.URL, c context.Co
|
||||||
if claims.Proxy == nil {
|
if claims.Proxy == nil {
|
||||||
claims.Proxy = &ProxyClaims{}
|
claims.Proxy = &ProxyClaims{}
|
||||||
}
|
}
|
||||||
claims.RawToken = rawIDToken
|
claims.RawToken = jwt
|
||||||
return claims, nil
|
return claims, nil
|
||||||
}
|
}
|
||||||
|
|
|
@ -62,7 +62,7 @@ func (a *Application) getStore(p api.ProxyOutpostConfig, externalHost *url.URL)
|
||||||
// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
|
// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
|
||||||
// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
|
// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
|
||||||
// securecookie: the value is too long
|
// securecookie: the value is too long
|
||||||
// when using OpenID Connect , since this can contain a large amount of extra information in the id_token
|
// when using OpenID Connect, since this can contain a large amount of extra information in the id_token
|
||||||
|
|
||||||
// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
|
// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
|
||||||
cs.MaxLength(math.MaxInt)
|
cs.MaxLength(math.MaxInt)
|
||||||
|
|
Reference in New Issue