providers/proxy: fix Issuer when AUTHENTIK_HOST_BROWSER is set (#11968)

correctly use host_browser's hostname as host header for token requests to ensure Issuer is identical
2024-11-13 00:54:40 +01:00
parent 1f6ae73e6e
commit a892d4afd8
2 changed files with 14 additions and 3 deletions
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -23,6 +23,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/api/v3"
+	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/outpost/ak"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 	"goauthentik.io/internal/outpost/proxyv2/hs256"
@ -121,6 +122,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 	bs := string(h.Sum([]byte(*p.ClientId)))
 	sessionName := fmt.Sprintf("authentik_proxy_%s", bs[:8])

+	// When HOST_BROWSER is set, use that as Host header for token requests to make the issuer match
+	// otherwise we use the internally configured authentik_host
+	tokenEndpointHost := server.API().Outpost.Config["authentik_host"].(string)
+	if config.Get().AuthentikHostBrowser != "" {
+		tokenEndpointHost = config.Get().AuthentikHostBrowser
+	}
+	publicHTTPClient := web.NewHostInterceptor(c, tokenEndpointHost)
+
 	a := &Application{
 		Host:                 externalHost.Host,
 		log:                  muxLogger,
@ -131,7 +140,7 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, server Server, old
 		tokenVerifier:        verifier,
 		proxyConfig:          p,
 		httpClient:           c,
-		publicHostHTTPClient: web.NewHostInterceptor(c, server.API().Outpost.Config["authentik_host"].(string)),
+		publicHostHTTPClient: publicHTTPClient,
 		mux:                  mux,
 		errorTemplates:       templates.GetTemplates(),
 		ak:                   server.API(),