From e5944567e84efc289f69e944425b3371cf124db5 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 9 Sep 2021 11:00:58 +0200 Subject: [PATCH] outposts/proxy: fix url not being substituted for sign_out Signed-off-by: Jens Langhammer --- .../proxyv2/application/application.go | 44 +++----------- .../outpost/proxyv2/application/endpoint.go | 60 +++++++++++++++++++ 2 files changed, 67 insertions(+), 37 deletions(-) create mode 100644 internal/outpost/proxyv2/application/endpoint.go diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go index 9deb51cd7..c025e9b44 100644 --- a/internal/outpost/proxyv2/application/application.go +++ b/internal/outpost/proxyv2/application/application.go @@ -7,7 +7,6 @@ import ( "fmt" "net/http" "net/url" - "os" "regexp" "strings" "time" @@ -31,6 +30,7 @@ type Application struct { Cert *tls.Certificate UnauthenticatedRegex []*regexp.Regexp + endpint OIDCEndpoint oauthConfig oauth2.Config tokenVerifier *oidc.IDTokenVerifier @@ -42,38 +42,6 @@ type Application struct { mux *mux.Router } -func akProviderToEndpoint(p api.ProxyOutpostConfig, authentikHost string) oauth2.Endpoint { - authUrl := p.OidcConfiguration.AuthorizationEndpoint - if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found { - host := os.Getenv("AUTHENTIK_HOST") - authUrl = strings.ReplaceAll(authUrl, host, browserHost) - } - ep := oauth2.Endpoint{ - AuthURL: authUrl, - TokenURL: p.OidcConfiguration.TokenEndpoint, - AuthStyle: oauth2.AuthStyleInParams, - } - u, err := url.Parse(authUrl) - if err != nil { - return ep - } - if u.Host != "localhost:8000" { - return ep - } - if authentikHost == "" { - log.Warning("Outpost has localhost/blank API Connection but no authentik_host is configured.") - return ep - } - aku, err := url.Parse(authentikHost) - if err != nil { - return ep - } - u.Host = aku.Host - u.Scheme = aku.Scheme - ep.AuthURL = u.String() - return ep -} - func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore, akHost string) *Application { gob.Register(Claims{}) @@ -98,17 +66,19 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore }) // Configure an OpenID Connect aware OAuth2 client. + endpoint := GetOIDCEndpoint(p, akHost) oauth2Config := oauth2.Config{ ClientID: *p.ClientId, ClientSecret: *p.ClientSecret, RedirectURL: fmt.Sprintf("%s/akprox/callback", p.ExternalHost), - Endpoint: akProviderToEndpoint(p, akHost), + Endpoint: endpoint.Endpoint, Scopes: []string{oidc.ScopeOpenID, "profile", "email", "ak_proxy"}, } mux := mux.NewRouter() a := &Application{ Host: externalHost.Host, log: log.WithField("logger", "authentik.outpost.proxy.bundle").WithField("provider", p.Name), + endpint: endpoint, oauthConfig: oauth2Config, tokenVerifier: verifier, sessions: GetStore(p), @@ -214,14 +184,14 @@ func (a *Application) handleSignOut(rw http.ResponseWriter, r *http.Request) { // TODO: Token revocation s, err := a.sessions.Get(r, constants.SeesionName) if err != nil { - http.Redirect(rw, r, a.proxyConfig.OidcConfiguration.EndSessionEndpoint, http.StatusFound) + http.Redirect(rw, r, a.endpint.EndSessionEndpoint, http.StatusFound) return } s.Options.MaxAge = -1 err = s.Save(r, rw) if err != nil { - http.Redirect(rw, r, a.proxyConfig.OidcConfiguration.EndSessionEndpoint, http.StatusFound) + http.Redirect(rw, r, a.endpint.EndSessionEndpoint, http.StatusFound) return } - http.Redirect(rw, r, a.proxyConfig.OidcConfiguration.EndSessionEndpoint, http.StatusFound) + http.Redirect(rw, r, a.endpint.EndSessionEndpoint, http.StatusFound) } diff --git a/internal/outpost/proxyv2/application/endpoint.go b/internal/outpost/proxyv2/application/endpoint.go new file mode 100644 index 000000000..e11c4e031 --- /dev/null +++ b/internal/outpost/proxyv2/application/endpoint.go @@ -0,0 +1,60 @@ +package application + +import ( + "net/url" + "os" + "strings" + + log "github.com/sirupsen/logrus" + "goauthentik.io/api" + "golang.org/x/oauth2" +) + +type OIDCEndpoint struct { + oauth2.Endpoint + EndSessionEndpoint string +} + +func GetOIDCEndpoint(p api.ProxyOutpostConfig, authentikHost string) OIDCEndpoint { + authUrl := p.OidcConfiguration.AuthorizationEndpoint + endUrl := p.OidcConfiguration.EndSessionEndpoint + if browserHost, found := os.LookupEnv("AUTHENTIK_HOST_BROWSER"); found { + host := os.Getenv("AUTHENTIK_HOST") + authUrl = strings.ReplaceAll(authUrl, host, browserHost) + endUrl = strings.ReplaceAll(endUrl, host, browserHost) + } + ep := OIDCEndpoint{ + Endpoint: oauth2.Endpoint{ + AuthURL: authUrl, + TokenURL: p.OidcConfiguration.TokenEndpoint, + AuthStyle: oauth2.AuthStyleInParams, + }, + EndSessionEndpoint: endUrl, + } + authU, err := url.Parse(authUrl) + if err != nil { + return ep + } + endU, err := url.Parse(endUrl) + if err != nil { + return ep + } + if authU.Host != "localhost:8000" { + return ep + } + if authentikHost == "" { + log.Warning("Outpost has localhost/blank API Connection but no authentik_host is configured.") + return ep + } + aku, err := url.Parse(authentikHost) + if err != nil { + return ep + } + authU.Host = aku.Host + authU.Scheme = aku.Scheme + endU.Host = aku.Host + endU.Scheme = aku.Scheme + ep.AuthURL = authU.String() + ep.EndSessionEndpoint = endU.String() + return ep +}