From 7a8fb58ad1a2ed1984e5b6be305b68de3fe1c608 Mon Sep 17 00:00:00 2001 From: Jonas Fonseca Date: Fri, 14 Jun 2019 11:33:05 -0400 Subject: [PATCH] Only validate tokens if ValidateURL resolves to a non-empty string Fix an unsupported protocol scheme error when validating tokens by ensuring that the ValidateURL generates a non-empty string. The Azure provider doesn't define any ValidateURL and therefore uses the default value of `url.Parse("")` which is not `nil`. The following log summary shows the issue: 2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s) 2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0... 2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme "" 2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} --- CHANGELOG.md | 1 + providers/internal_util.go | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f3fc3d..6cfd7dd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -54,6 +54,7 @@ - [#111](https://github.com/pusher/oauth2_proxy/pull/111) Add option for telling where to find a login.gov JWT key file (@timothy-spencer) - [#170](https://github.com/pusher/oauth2_proxy/pull/170) Restore binary tarball contents to be compatible with bitlys original tarballs (@zeha) +- [#185](https://github.com/pusher/oauth2_proxy/pull/185) Fix an unsupported protocol scheme error during token validation when using the Azure provider (@jonas) # v3.2.0 diff --git a/providers/internal_util.go b/providers/internal_util.go index 7144dee..849e2c7 100644 --- a/providers/internal_util.go +++ b/providers/internal_util.go @@ -47,7 +47,7 @@ func stripParam(param, endpoint string) string { // validateToken returns true if token is valid func validateToken(p Provider, accessToken string, header http.Header) bool { - if accessToken == "" || p.Data().ValidateURL == nil { + if accessToken == "" || p.Data().ValidateURL == nil || p.Data().ValidateURL.String() == "" { return false } endpoint := p.Data().ValidateURL.String()