providers/proxy: add initial header token auth (#4421)

* initial implementation Signed-off-by: Jens Langhammer <jens@goauthentik.io> * check for openid/profile claims Signed-off-by: Jens Langhammer <jens@goauthentik.io> * include jwks sources in proxy provider Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add web ui for jwks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * only show sources with JWKS data configured Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix introspection tests Signed-off-by: Jens Langhammer <jens@goauthentik.io> * start basic Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add basic auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add docs, update admonitions Signed-off-by: Jens Langhammer <jens@goauthentik.io> * add client_id to api, add tab for auth Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update locale Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-01-13 16:22:03 +01:00
parent 31c6ea9fda
commit cd12e177ea
54 changed files with 830 additions and 162 deletions
--- a/internal/outpost/proxyv2/application/mode_proxy.go
+++ b/internal/outpost/proxyv2/application/mode_proxy.go
@ -33,10 +33,11 @@ func (a *Application) configureProxy() error {
 	rp.ErrorHandler = a.newProxyErrorHandler()
 	rp.ModifyResponse = a.proxyModifyResponse
 	a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		claims, err := a.getClaims(r)
+		claims, err := a.checkAuth(rw, r)
 		if claims == nil && a.IsAllowlisted(r.URL) {
 			a.log.Trace("path can be accessed without authentication")
 		} else if claims == nil && err != nil {
+			a.log.WithError(err).Trace("no claims")
 			a.redirectToStart(rw, r)
 			return
 		} else {
@ -67,7 +68,7 @@ func (a *Application) configureProxy() error {
 func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
 	return func(r *http.Request) {
 		r.Header.Set("X-Forwarded-Host", r.Host)
-		claims, _ := a.getClaims(r)
+		claims, _ := a.checkAuth(nil, r)
 		r.URL.Scheme = ou.Scheme
 		r.URL.Host = ou.Host
 		if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {