Merge branch 'master' into inbuilt-proxy

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> # Conflicts: # internal/constants/constants.go # outpost/pkg/version.go
2021-07-02 16:23:30 +02:00
parent 2a0bd50e23 02dd44eeec
commit 3dc9e247d5
42 changed files with 481 additions and 227 deletions
--- a/internal/outpost/proxy/api.go
+++ b/internal/outpost/proxy/api.go
@ -29,9 +29,10 @@ func (s *Server) bundleProviders(providers []api.ProxyOutpostConfig) []*provider
 			log.WithError(err).Warning("Failed to parse URL, skipping provider")
 		}
 		bundles[idx] = &providerBundle{
-			s:    s,
-			Host: externalHost.Host,
-			log:  log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name),
+			s:             s,
+			Host:          externalHost.Host,
+			log:           log.WithField("logger", "authentik.outpost.proxy-bundle").WithField("provider", provider.Name),
+			endSessionUrl: provider.OidcConfiguration.EndSessionEndpoint,
 		}
 		bundles[idx].Build(provider)
 	}
--- a/internal/outpost/proxy/api_bundle.go
+++ b/internal/outpost/proxy/api_bundle.go
@ -25,6 +25,8 @@ type providerBundle struct {
 	proxy *OAuthProxy
 	Host  string

+	endSessionUrl string
+
 	cert *tls.Certificate

 	log *log.Entry
@ -58,6 +60,8 @@ func (pb *providerBundle) prepareOpts(provider api.ProxyOutpostConfig) *options.
 	providerOpts.RedeemURL = provider.OidcConfiguration.TokenEndpoint
 	providerOpts.OIDCJwksURL = provider.OidcConfiguration.JwksUri
 	providerOpts.ProfileURL = provider.OidcConfiguration.UserinfoEndpoint
+	providerOpts.ValidateURL = provider.OidcConfiguration.UserinfoEndpoint
+	providerOpts.AcrValues = "goauthentik.io/providers/oauth2/default"

 	if *provider.SkipPathRegex != "" {
 		skipRegexes := strings.Split(*provider.SkipPathRegex, "\n")
@ -153,6 +157,7 @@ func (pb *providerBundle) Build(provider api.ProxyOutpostConfig) {
 		oauthproxy.BasicAuthPasswordAttribute = *provider.BasicAuthPasswordAttribute
 	}

+	oauthproxy.endSessionEndpoint = pb.endSessionUrl
 	oauthproxy.ExternalHost = pb.Host

 	pb.proxy = oauthproxy
--- a/internal/outpost/proxy/proxy.go
+++ b/internal/outpost/proxy/proxy.go
@ -65,31 +65,33 @@ type OAuthProxy struct {
 	AuthOnlyPath      string
 	UserInfoPath      string

+	endSessionEndpoint         string
 	mode                       api.ProxyMode
-	redirectURL                *url.URL // the url to receive requests at
-	whitelistDomains           []string
-	provider                   providers.Provider
-	sessionStore               sessionsapi.SessionStore
-	ProxyPrefix                string
-	serveMux                   http.Handler
-	SetXAuthRequest            bool
-	SetBasicAuth               bool
-	PassUserHeaders            bool
 	BasicAuthUserAttribute     string
 	BasicAuthPasswordAttribute string
 	ExternalHost               string
-	PassAccessToken            bool
-	SetAuthorization           bool
-	PassAuthorization          bool
-	PreferEmailToUser          bool
-	skipAuthRegex              []string
-	skipAuthPreflight          bool
-	skipAuthStripHeaders       bool
-	mainJwtBearerVerifier      *oidc.IDTokenVerifier
-	extraJwtBearerVerifiers    []*oidc.IDTokenVerifier
-	compiledRegex              []*regexp.Regexp
-	templates                  *template.Template
-	realClientIPParser         ipapi.RealClientIPParser
+
+	redirectURL             *url.URL // the url to receive requests at
+	whitelistDomains        []string
+	provider                providers.Provider
+	sessionStore            sessionsapi.SessionStore
+	ProxyPrefix             string
+	serveMux                http.Handler
+	SetXAuthRequest         bool
+	SetBasicAuth            bool
+	PassUserHeaders         bool
+	PassAccessToken         bool
+	SetAuthorization        bool
+	PassAuthorization       bool
+	PreferEmailToUser       bool
+	skipAuthRegex           []string
+	skipAuthPreflight       bool
+	skipAuthStripHeaders    bool
+	mainJwtBearerVerifier   *oidc.IDTokenVerifier
+	extraJwtBearerVerifiers []*oidc.IDTokenVerifier
+	compiledRegex           []*regexp.Regexp
+	templates               *template.Template
+	realClientIPParser      ipapi.RealClientIPParser

 	sessionChain alice.Chain

@ -285,19 +287,13 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {

 // SignOut sends a response to clear the authentication cookie
 func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
-	redirect, err := p.GetRedirect(req)
-	if err != nil {
-		p.logger.Errorf("Error obtaining redirect: %v", err)
-		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
-		return
-	}
-	err = p.ClearSessionCookie(rw, req)
+	err := p.ClearSessionCookie(rw, req)
 	if err != nil {
 		p.logger.Errorf("Error clearing session cookie: %v", err)
 		p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
 		return
 	}
-	http.Redirect(rw, req, redirect, http.StatusFound)
+	http.Redirect(rw, req, p.endSessionEndpoint, http.StatusFound)
 }

 // AuthenticateOnly checks whether the user is currently logged in