cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: issuer from Forwarded header (#443)

Browse source
This commit is contained in:
Tim Möhlmann 2023-09-07 15:25:39 +03:00 committed by GitHub
parent 607a76c154
commit 364a7591d6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 149 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

34
pkg/op/config.go
View file

@ -2,10 +2,12 @@ package op
import (
"errors"
"log"
"net/http"
"net/url"
"strings"
"github.com/muhlemmer/httpforwarded"
"golang.org/x/text/language"
)
@ -52,6 +54,21 @@ type Configuration interface {
type IssuerFromRequest func(r *http.Request) string
func IssuerFromHost(path string) func(bool) (IssuerFromRequest, error) {
return issuerFromForwardedOrHost(path, false)
}
// IssuerFromForwardedOrHost tries to establish the Issuer based
// on the Forwarded header host field.
// If multiple Forwarded headers are present, the first mention
// of the host field will be used.
// If the Forwarded header is not present, no host field is found,
// or there is a parser error the Request Host will be used as a fallback.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Forwarded
func IssuerFromForwardedOrHost(path string) func(bool) (IssuerFromRequest, error) {
return issuerFromForwardedOrHost(path, true)
}
func issuerFromForwardedOrHost(path string, parseForwarded bool) func(bool) (IssuerFromRequest, error) {
return func(allowInsecure bool) (IssuerFromRequest, error) {
issuerPath, err := url.Parse(path)
if err != nil {
@ -61,11 +78,28 @@ func IssuerFromHost(path string) func(bool) (IssuerFromRequest, error) {
return nil, err
}
return func(r *http.Request) string {
if parseForwarded {
if host, ok := hostFromForwarded(r); ok {
return dynamicIssuer(host, path, allowInsecure)
}
}
return dynamicIssuer(r.Host, path, allowInsecure)
}, nil
}
}
func hostFromForwarded(r *http.Request) (host string, ok bool) {
fwd, err := httpforwarded.ParseFromRequest(r)
if err != nil {
log.Printf("Err: issuer from forwarded header: %v", err) // TODO change to slog on next branch
return "", false
}
if fwd == nil || len(fwd["host"]) == 0 {
return "", false
}
return fwd["host"][0], true
}
func StaticIssuer(issuer string) func(bool) (IssuerFromRequest, error) {
return func(allowInsecure bool) (IssuerFromRequest, error) {
if err := ValidateIssuer(issuer, allowInsecure); err != nil {