feat(authn-oidc): allow for dynamic post-logout redirection
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good
All checks were successful
Cadoles/bouncer/pipeline/head This commit looks good
This commit is contained in:
@ -7,6 +7,8 @@ import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"slices"
|
||||
"strings"
|
||||
"text/template"
|
||||
"time"
|
||||
|
||||
@ -35,9 +37,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
baseURL := originalURL.Scheme + "://" + originalURL.Host
|
||||
|
||||
options, err := fromStoreOptions(layer.Options, baseURL)
|
||||
options, err := fromStoreOptions(layer.Options)
|
||||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
@ -47,7 +47,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
|
||||
logger.Error(ctx, "could not retrieve session", logger.E(errors.WithStack(err)))
|
||||
}
|
||||
|
||||
loginCallbackURL, err := a.getLoginCallbackURL(layer.Proxy, layer.Name, options)
|
||||
loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
|
||||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
@ -57,20 +57,20 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
loginCallbackURLPattern, err := a.templatize(options.OIDC.MatchLoginCallbackURL, layer.Proxy, layer.Name)
|
||||
loginCallbackPathPattern, err := a.templatize(options.OIDC.MatchLoginCallbackPath, layer.Proxy, layer.Name)
|
||||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
logoutURLPattern, err := a.templatize(options.OIDC.MatchLogoutURL, layer.Proxy, layer.Name)
|
||||
logoutPathPattern, err := a.templatize(options.OIDC.MatchLogoutPath, layer.Proxy, layer.Name)
|
||||
if err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
|
||||
logger.Debug(ctx, "checking url", logger.F("loginCallbackURLPattern", loginCallbackURLPattern), logger.F("logoutURLPattern", logoutURLPattern))
|
||||
logger.Debug(ctx, "checking url", logger.F("loginCallbackPathPattern", loginCallbackPathPattern), logger.F("logoutPathPattern", logoutPathPattern))
|
||||
|
||||
switch {
|
||||
case wildcard.Match(originalURL.String(), loginCallbackURLPattern):
|
||||
case wildcard.Match(originalURL.Path, loginCallbackPathPattern):
|
||||
if err := client.HandleCallback(w, r, sess); err != nil {
|
||||
return errors.WithStack(err)
|
||||
}
|
||||
@ -80,10 +80,23 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
|
||||
metricLabelProxy: string(layer.Proxy),
|
||||
}).Add(1)
|
||||
|
||||
case wildcard.Match(originalURL.String(), logoutURLPattern):
|
||||
postLogoutRedirectURL := options.OIDC.PostLogoutRedirectURL
|
||||
if options.OIDC.PostLogoutRedirectURL == "" {
|
||||
postLogoutRedirectURL = originalURL.Scheme + "://" + originalURL.Host
|
||||
case wildcard.Match(originalURL.Path, logoutPathPattern):
|
||||
postLogoutRedirectURL := r.URL.Query().Get("redirect")
|
||||
|
||||
if postLogoutRedirectURL != "" {
|
||||
isAuthorized := slices.Contains(options.OIDC.PostLogoutRedirectURLs, postLogoutRedirectURL)
|
||||
if !isAuthorized {
|
||||
http.Error(w, "unauthorized post-logout redirect", http.StatusBadRequest)
|
||||
return errors.WithStack(authn.ErrSkipRequest)
|
||||
}
|
||||
}
|
||||
|
||||
if postLogoutRedirectURL == "" {
|
||||
if options.OIDC.PublicBaseURL != "" {
|
||||
postLogoutRedirectURL = options.OIDC.PublicBaseURL
|
||||
} else {
|
||||
postLogoutRedirectURL = originalURL.Scheme + "://" + originalURL.Host
|
||||
}
|
||||
}
|
||||
|
||||
if err := client.HandleLogout(w, r, sess, postLogoutRedirectURL); err != nil {
|
||||
@ -103,14 +116,7 @@ func (a *Authenticator) PreAuthentication(w http.ResponseWriter, r *http.Request
|
||||
func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, layer *store.Layer) (*authn.User, error) {
|
||||
ctx := r.Context()
|
||||
|
||||
originalURL, err := director.OriginalURL(ctx)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
baseURL := originalURL.Scheme + "://" + originalURL.Host
|
||||
|
||||
options, err := fromStoreOptions(layer.Options, baseURL)
|
||||
options, err := fromStoreOptions(layer.Options)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
@ -142,7 +148,12 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
|
||||
sess.Options.SameSite = http.SameSiteDefaultMode
|
||||
}
|
||||
|
||||
loginCallbackURL, err := a.getLoginCallbackURL(layer.Proxy, layer.Name, options)
|
||||
originalURL, err := director.OriginalURL(ctx)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
loginCallbackURL, err := a.getLoginCallbackURL(originalURL, layer.Proxy, layer.Name, options)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
@ -152,7 +163,12 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
idToken, err := client.Authenticate(w, r, sess)
|
||||
postLoginRedirectURL, err := a.mergeURL(originalURL, originalURL.Path, options.OIDC.PublicBaseURL, true)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
idToken, err := client.Authenticate(w, r, sess, postLoginRedirectURL.String())
|
||||
if err != nil {
|
||||
if errors.Is(err, ErrLoginRequired) {
|
||||
metricLoginRequestsTotal.With(prometheus.Labels{
|
||||
@ -166,7 +182,7 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
user, err := a.toUser(idToken, layer.Proxy, layer.Name, options, sess)
|
||||
user, err := a.toUser(originalURL, idToken, layer.Proxy, layer.Name, options, sess)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
@ -224,7 +240,7 @@ func (c claims) AsAttrs() map[string]any {
|
||||
return attrs
|
||||
}
|
||||
|
||||
func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions, sess *sessions.Session) (*authn.User, error) {
|
||||
func (a *Authenticator) toUser(originalURL *url.URL, idToken *oidc.IDToken, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions, sess *sessions.Session) (*authn.User, error) {
|
||||
var claims claims
|
||||
|
||||
if err := idToken.Claims(&claims); err != nil {
|
||||
@ -237,7 +253,7 @@ func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName,
|
||||
|
||||
attrs := claims.AsAttrs()
|
||||
|
||||
logoutURL, err := a.getLogoutURL(proxyName, layerName, options)
|
||||
logoutURL, err := a.getLogoutURL(originalURL, proxyName, layerName, options)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
@ -261,36 +277,65 @@ func (a *Authenticator) toUser(idToken *oidc.IDToken, proxyName store.ProxyName,
|
||||
return user, nil
|
||||
}
|
||||
|
||||
func (a *Authenticator) getLoginCallbackURL(proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) {
|
||||
url, err := a.generateURL(options.OIDC.LoginCallbackURL, proxyName, layerName)
|
||||
func (a *Authenticator) getLoginCallbackURL(originalURL *url.URL, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) {
|
||||
path, err := a.templatize(options.OIDC.LoginCallbackPath, proxyName, layerName)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return url, nil
|
||||
merged, err := a.mergeURL(originalURL, path, options.OIDC.PublicBaseURL, false)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return merged, nil
|
||||
}
|
||||
|
||||
func (a *Authenticator) getLogoutURL(proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) {
|
||||
url, err := a.generateURL(options.OIDC.LogoutURL, proxyName, layerName)
|
||||
func (a *Authenticator) getLogoutURL(originalURL *url.URL, proxyName store.ProxyName, layerName store.LayerName, options *LayerOptions) (*url.URL, error) {
|
||||
path, err := a.templatize(options.OIDC.LogoutPath, proxyName, layerName)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return url, nil
|
||||
merged, err := a.mergeURL(originalURL, path, options.OIDC.PublicBaseURL, true)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
return merged, nil
|
||||
}
|
||||
|
||||
func (a *Authenticator) generateURL(rawURLTemplate string, proxyName store.ProxyName, layerName store.LayerName) (*url.URL, error) {
|
||||
rawURL, err := a.templatize(rawURLTemplate, proxyName, layerName)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
func (a *Authenticator) mergeURL(base *url.URL, path string, overlay string, withQuery bool) (*url.URL, error) {
|
||||
merged := &url.URL{
|
||||
Scheme: base.Scheme,
|
||||
Host: base.Host,
|
||||
Path: path,
|
||||
}
|
||||
|
||||
url, err := url.Parse(rawURL)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
if withQuery {
|
||||
merged.RawQuery = base.RawQuery
|
||||
}
|
||||
|
||||
return url, nil
|
||||
if overlay != "" {
|
||||
overlayURL, err := url.Parse(overlay)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
|
||||
merged.Scheme = overlayURL.Scheme
|
||||
merged.Host = overlayURL.Host
|
||||
merged.Path = overlayURL.Path + strings.TrimPrefix(path, "/")
|
||||
|
||||
for key, values := range overlayURL.Query() {
|
||||
query := merged.Query()
|
||||
for _, v := range values {
|
||||
query.Add(key, v)
|
||||
}
|
||||
merged.RawQuery = query.Encode()
|
||||
}
|
||||
}
|
||||
|
||||
return merged, nil
|
||||
}
|
||||
|
||||
func (a *Authenticator) templatize(rawTemplate string, proxyName store.ProxyName, layerName store.LayerName) (string, error) {
|
||||
|
||||
Reference in New Issue
Block a user