habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

providers/proxy: rework redirect mechanism (#8594)

Browse Source 
* providers/proxy: rework redirect mechanism

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* add session id, don't tie to state in session

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* handle state failing to parse

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* save session after creating state

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* remove debug

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* include task expiry in status

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix redirect URL detection

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix tests

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L
2024-05-06 03:07:08 +02:00
committed by GitHub
parent 3e4fea875a
commit c45bb8e985
16 changed files with 272 additions and 190 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
internal/outpost/proxyv2/hs256/hs256.go
View File

@ -3,9 +3,10 @@ package hs256
import (
"context"
"encoding/base64"
"fmt"
"strings"
"github.com/golang-jwt/jwt"
"github.com/golang-jwt/jwt/v5"
)
type KeySet struct {
@ -15,17 +16,23 @@ type KeySet struct {
func NewKeySet(secret string) *KeySet {
return &KeySet{
m: jwt.GetSigningMethod("HS256"),
m: jwt.SigningMethodHS256,
secret: secret,
}
}
func (ks *KeySet) VerifySignature(ctx context.Context, jwt string) ([]byte, error) {
parts := strings.Split(jwt, ".")
err := ks.m.Verify(strings.Join(parts[0:2], "."), parts[2], []byte(ks.secret))
func (ks *KeySet) VerifySignature(ctx context.Context, rawJWT string) ([]byte, error) {
_, err := jwt.Parse(rawJWT, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return []byte(ks.secret), nil
})
if err != nil {
return nil, err
}
parts := strings.Split(rawJWT, ".")
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
return payload, err
}