From a892d4afd8948059af5686778837346442a6232b Mon Sep 17 00:00:00 2001 From: "Jens L." Date: Wed, 13 Nov 2024 00:54:40 +0100 Subject: [PATCH] providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968) correctly use host_browser's hostname as host header for token requests to ensure Issuer is identical --- internal/outpost/proxyv2/application/application.go | 11 ++++++++++- internal/utils/web/http_host_interceptor.go | 6 ++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go index 4196f052f5..01b0a44637 100644 --- a/internal/outpost/proxyv2/application/application.go +++ b/internal/outpost/proxyv2/application/application.go @@ -23,6 +23,7 @@ import ( "github.com/prometheus/client_golang/prometheus" log "github.com/sirupsen/logrus" "goauthentik.io/api/v3" + "goauthentik.io/internal/config" "goauthentik.io/internal/outpost/ak" "goauthentik.io/internal/outpost/proxyv2/constants" "goauthentik.io/internal/outpost/proxyv2/hs256" @@ -121,6 +122,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old bs := string(h.Sum([]byte(*p.ClientId))) sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8]) + // When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match + // otherwise we use the internally configured authentik_host + tokenEndpointHost := server.API().Outpost.Config["authentik_host"].(string) + if config.Get().AuthentikHostBrowser != "" { + tokenEndpointHost = config.Get().AuthentikHostBrowser + } + publicHTTPClient := web.NewHostInterceptor(c, tokenEndpointHost) + a := &Application{ Host: externalHost.Host, log: muxLogger, @@ -131,7 +140,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old tokenVerifier: verifier, proxyConfig: p, httpClient: c, - publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)), + publicHostHTTPClient: publicHTTPClient, mux: mux, errorTemplates: templates.GetTemplates(), ak: server.API(), diff --git a/internal/utils/web/http_host_interceptor.go b/internal/utils/web/http_host_interceptor.go index ab2308e7fb..3ca4f40714 100644 --- a/internal/utils/web/http_host_interceptor.go +++ b/internal/utils/web/http_host_interceptor.go @@ -14,8 +14,10 @@ type hostInterceptor struct { } func (t hostInterceptor) RoundTrip(r *http.Request) (*http.Response, error) { - r.Host = t.host - r.Header.Set("X-Forwarded-Proto", t.scheme) + if r.Host != t.host { + r.Host = t.host + r.Header.Set("X-Forwarded-Proto", t.scheme) + } return t.inner.RoundTrip(r) }