providers/proxy: fix issuer for embedded outpost (#4480)

fix issuer for embedded outpost

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/proxyv2/application/application.go

@@ -70,19 +70,29 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
 		ks = oidc.NewRemoteKeySet(ctx, p.OidcConfiguration.JwksUri)
 	}
 
-	var verifier = oidc.NewVerifier(p.OidcConfiguration.Issuer, ks, &oidc.Config{
-		ClientID:             *p.ClientId,
-		SupportedSigningAlgs: []string{"RS256", "HS256"},
-	})
-
 	redirectUri, _ := url.Parse(p.ExternalHost)
 	redirectUri.Path = path.Join(redirectUri.Path, "/outpost.goauthentik.io/callback")
 	redirectUri.RawQuery = url.Values{
 		CallbackSignature: []string{"true"},
 	}.Encode()
 
+	managed := false
+	if ak.Outpost.Managed.IsSet() {
+		m := *ak.Outpost.Managed.Get()
+		managed = m == "goauthentik.io/outposts/embedded"
+	}
 	// Configure an OpenID Connect aware OAuth2 client.
-	endpoint := GetOIDCEndpoint(p, ak.Outpost.Config["authentik_host"].(string))
+	endpoint := GetOIDCEndpoint(
+		p,
+		ak.Outpost.Config["authentik_host"].(string),
+		managed,
+	)
+
+	verifier := oidc.NewVerifier(endpoint.Issuer, ks, &oidc.Config{
+		ClientID:             *p.ClientId,
+		SupportedSigningAlgs: []string{"RS256", "HS256"},
+	})
+
 	oauth2Config := oauth2.Config{
 		ClientID:     *p.ClientId,
 		ClientSecret: *p.ClientSecret,

internal/outpost/proxyv2/application/endpoint.go

@@ -15,11 +15,23 @@ type OIDCEndpoint struct {
 	TokenIntrospection string
 	EndSessionEndpoint string
 	JwksUri            string
+	Issuer             string
 }
 
-func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint {
+func updateURL(rawUrl string, scheme string, host string) string {
+	u, err := url.Parse(rawUrl)
+	if err != nil {
+		return rawUrl
+	}
+	u.Host = host
+	u.Scheme = scheme
+	return u.String()
+}
+
+func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string, embedded bool) OIDCEndpoint {
 	authUrl := p.OidcConfiguration.AuthorizationEndpoint
 	endUrl := p.OidcConfiguration.EndSessionEndpoint
+	tokenUrl := p.OidcConfiguration.TokenEndpoint
 	jwksUrl := p.OidcConfiguration.JwksUri
 	if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found && browserHost != "" {
 		host := os.Getenv("AUTHENTIK_HOST")
@@ -30,26 +42,15 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
 	ep := OIDCEndpoint{
 		Endpoint: oauth2.Endpoint{
 			AuthURL:   authUrl,
-			TokenURL:  p.OidcConfiguration.TokenEndpoint,
+			TokenURL:  tokenUrl,
 			AuthStyle: oauth2.AuthStyleInParams,
 		},
 		EndSessionEndpoint: endUrl,
 		JwksUri:            jwksUrl,
 		TokenIntrospection: p.OidcConfiguration.IntrospectionEndpoint,
+		Issuer:             p.OidcConfiguration.Issuer,
 	}
-	authU, err := url.Parse(authUrl)
-	if err != nil {
-		return ep
-	}
-	endU, err := url.Parse(endUrl)
-	if err != nil {
-		return ep
-	}
-	jwksU, err := url.Parse(jwksUrl)
-	if err != nil {
-		return ep
-	}
-	if authU.Host != "localhost:8000" {
+	if !embedded {
 		return ep
 	}
 	if authentikHost == "" {
@@ -60,14 +61,10 @@ func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoin
 	if err != nil {
 		return ep
 	}
-	authU.Host = aku.Host
-	authU.Scheme = aku.Scheme
-	endU.Host = aku.Host
-	endU.Scheme = aku.Scheme
-	jwksU.Host = aku.Host
-	jwksU.Scheme = aku.Scheme
-	ep.AuthURL = authU.String()
-	ep.EndSessionEndpoint = endU.String()
-	ep.JwksUri = jwksU.String()
+	ep.AuthURL = updateURL(authUrl, aku.Scheme, aku.Host)
+	ep.EndSessionEndpoint = updateURL(endUrl, aku.Scheme, aku.Host)
+	ep.JwksUri = updateURL(jwksUrl, aku.Scheme, aku.Host)
+	ep.TokenURL = updateURL(tokenUrl, aku.Scheme, aku.Host)
+	ep.Issuer = updateURL(ep.Issuer, aku.Scheme, aku.Host)
 	return ep
 }