Commit Graph

139 Commits

Author SHA1 Message Date
Jens L ef028af7d1
providers/proxy: rework endpoints logic (#4993)
* providers/proxy: rework endpoints logic

again...this time with tests and better logic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-03-18 18:51:20 +01:00
Jens Langhammer f70be86ddc
providers/proxy: strip scheme when comparing redirect URL
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-20 21:22:26 +01:00
Jens Langhammer 9f431396c0
providers/proxy: ensure issuer is correct when browser url override is set
Signed-off-by: Jens Langhammer <jens@goauthentik.io>

#4715
2023-02-19 17:35:29 +01:00
Jens Langhammer b6c120f555
providers/proxy: fix client credential flows not using http interceptor
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-15 00:22:56 +01:00
Jens L ec42b597ab
providers/proxy: send token request internally, with overwritten host header (#4675)
* send token request internally, with overwritten host header

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-13 16:34:47 +01:00
Jens Langhammer 8f70354e3c
internal: remove debug remnant from cookie testing
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-12 17:29:18 +01:00
Jens L 21e29744c2
providers/proxy: different cookie name based on hashed client id (#4666) 2023-02-12 16:34:57 +01:00
Jens L af43330fd6
providers/oauth2: rework OAuth2 Provider (#4652)
* always treat flow as openid flow

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* improve issuer URL generation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more refactoring

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update introspection

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more refinement

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* migrate more

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix more things, update api

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* regen migrations

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix a bunch of things

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start updating tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix implicit flow, auto set exp

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix timeozone not used correctly

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix revoke

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* more timezone shenanigans

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix userinfo tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update web

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix proxy outpost

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix api tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix missing at_hash for implicit flows

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* re-include at_hash in implicit auth flow

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* use folder context for outpost build

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-09 20:19:48 +01:00
Jens Langhammer 3170b2f92c
providers/proxy: add token support for basic auth
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-07 22:50:49 +01:00
Jens Langhammer 61b06eff06
providers/proxy: better log outpost token errors
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-06 20:26:43 +01:00
Jens Langhammer 388367785d
*/saml: disable pretty_print, add signature tests
closes #4536

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-03 15:42:09 +01:00
Jens L 7d4ce41e12
providers/proxy: outpost wide logout implementation (#4605)
* initial outpost wide logout implementation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* handle deserialize error

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update docs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix file cleanup, add tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-02-02 21:18:59 +01:00
Jens Langhammer 43854dc828
outposts/proxy: fix panic due to IsSet misbehaving
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-19 18:22:55 +01:00
Jens L c11367553e
providers/proxy: fix issuer for embedded outpost (#4480)
fix issuer for embedded outpost

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-19 15:39:30 +01:00
Jens L 23c69c456a
providers/proxy: add setting to intercept authorization header (#4457)
* add setting to intercept authorization header

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* rename to intercept_header_auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-17 18:56:48 +01:00
Jens Langhammer 19ee98b36d
outposts/proxy: allow setting no-redirect via header or query param
closes #4455

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-17 10:56:43 +01:00
Jens Langhammer 9b2ceb0d44
outposts/proxy: make logged user more consistent, set FlushInterval
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 23:58:15 +01:00
Jens Langhammer 69d4719687
outposts/proxy: set http code when no redirect header is set
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 22:20:52 +01:00
Jens Langhammer d31e566873
outposts/proxy: add header to prevent redirects
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 22:18:25 +01:00
Jens Langhammer 0ddcefce80
outposts/proxy: cache basic and bearer credentials for one minute
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 22:12:48 +01:00
Jens Langhammer 4c45d35507
outposts/proxy: fix error handling, remove requirement for profile/etc scopes
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 21:44:28 +01:00
Jens Langhammer 829e49275d
outposts/proxy: fix proxy's TokenIntrospection potentially not being set
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-14 20:54:34 +01:00
Jens L cd12e177ea
providers/proxy: add initial header token auth (#4421)
* initial implementation

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* check for openid/profile claims

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include jwks sources in proxy provider

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add web ui for jwks

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* only show sources with JWKS data configured

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix introspection tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* start basic

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add basic auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add docs, update admonitions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add client_id to api, add tab for auth

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* update locale

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00
Jens Langhammer b3da1d223c providers/proxy: correctly set id_token_hint if possible
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-12-12 19:02:37 +00:00
Jens L 55aa1897af
root: use single redis db (#4009)
* use single redis db

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup prefixes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* ensure __str__ always returns string

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix remaining old prefixes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add release notes

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-11-15 14:31:29 +01:00
Jens L d53733b6fc
outposts/proxy: reduce possibility for redirect loops, keep single state (#3831)
use single state, redirect when start url is hit with active session

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-10-20 21:27:34 +02:00
Jens L 49b6aabb02
outposts/proxy: fix redirect path when external host is a subdirectory (#3628)
fix redirect path when external host is a subdirectory

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-22 10:10:29 +02:00
Jens L 47daaf969a
outposts: fix oauth state when using signature routing (#3616)
* fix oauth state when using signature routing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more retires

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-19 21:38:34 +02:00
Jens Langhammer 220f123b29 internal: add more tracing for states
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-07 09:53:10 +02:00
Jens Langhammer 8e7a456f74 providers/proxy: fix routing based on signature in traefik and caddy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-02 22:03:08 +02:00
Jens Langhammer 8ffae4505f internal: set Host on url in envoy
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-18 23:20:12 +01:00
Jens Langhammer 0cc83c23c4 providers/proxy: fix duplicate proxy set default
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-18 21:13:45 +01:00
Jens Langhammer 514c48a986 internal: fix routing for requests with querystring signature to embedded outpost
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-18 20:43:01 +02:00
Jens Langhammer 201bea6d30 internal: add X-authentik-logout signature to trigger logouts when URLs are not exposed
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-08-07 18:50:24 +02:00
Jens Langhammer fcf4657833 providers/proxy: add is_superuser to ak_proxy object, only show full error when superuser
closes #3314

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-30 20:29:23 +02:00
Jens L 393d7ec486
providers/proxy: no exposed urls (#3151)
* test any callback

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* dont detect callback in per-server handler

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use full redirect uri with both path and query param

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* update tests

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* correctly route to embedded outpost for callback signature

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix allowed redirects

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-30 17:51:01 +02:00
Jens L b41acebf5b
providers/proxy: add caddy endpoint (#3330)
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-29 10:58:53 +02:00
Jens Langhammer 10b48b27b0 internal: walk config in go, check, parse and load from scheme like in python
closes #2719

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-07-26 11:33:37 +02:00
Jens Langhammer 41eb44137e internal: remove pkg/errors 2022-07-05 20:26:33 +00:00
Jens Langhammer b6267fdf28 *: add versioned user agent to sentry
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-20 11:54:10 +02:00
Jens Langhammer 79bec6f6b2 providers/proxy: only send misconfiguration event once
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-16 10:32:34 +02:00
Jens Langhammer e30103aa9f providers/proxy: use same redirect-save code for all modes
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-04 23:25:47 +02:00
Jens L 8447e9b9c2
providers/proxy: envoy v2 (#3029)
* add path prefix

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use prefix correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* only set redirect if session doesn't have a redirect yet

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-03 10:32:52 +02:00
Jens L f9a419107a
outposts/proxyv2: add basic envoy support (#3026)
* outposts/proxyv2: add basic envoy support

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* don't crash when backend is not available

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* add envoy tests and docs

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-06-03 00:06:09 +02:00
Jens L 3eb466ff4b
lifecycle: cleanup prometheus (#2972)
* remove high cardinality labels

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* retry worker number for prometheus multiprocess id

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* revert to pid, use subdirectories

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* cleanup more

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use worker id based off of https://github.com/benoitc/gunicorn/issues/1352

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix missing app label

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* tests/e2e: remove static names

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* fix

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-29 21:45:25 +02:00
Jens L a286f999e2
api: migrate to openapi generator v6 (#2968)
* migrate to openapi generator v6

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* bump api

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-26 15:15:30 +02:00
Jens Langhammer 646d174dd2 internal: revert cookie path on proxy causing redirect loops
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-21 16:26:12 +02:00
Jens Langhammer ebb44c992b Revert "internal: set SameSite for outpost"
This reverts commit 7e95c756b9.
2022-05-21 14:08:40 +02:00
Jens Langhammer 7e95c756b9 internal: set SameSite for outpost
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-21 13:21:45 +02:00
Jens Langhammer be26b92927 internal: cleanup outpost logs
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-05-21 13:18:06 +02:00