make redirect_uri optional

2015-03-17 16:25:19 -04:00 · 2015-03-17 16:25:19 -04:00 · ebae065b11
commit ebae065b11
parent 748247dde1
4 changed files with 30 additions and 12 deletions
--- a/README.md
+++ b/README.md
@ -117,7 +117,6 @@ The command line to run `google_auth_proxy` would look like this:

 ```bash
 ./google_auth_proxy \
-   --redirect-url="https://internal.yourcompany.com/oauth2/callback"  \
   --google-apps-domain="yourcompany.com"  \
   --upstream=http://127.0.0.1:8080/ \
   --cookie-secret=... \
@ -134,4 +133,4 @@ Google Auth Proxy responds directly to the following endpoints. All other endpoi
 * /ping - returns an 200 OK response
 * /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
 * /oauth2/start - a URL that will redirect to start the OAuth cycle
-* /oauth2/callback - the URL used at the end of the OAuth cycle
+* /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this ass the callback url.
--- a/contrib/google_auth_proxy.cfg.example
+++ b/contrib/google_auth_proxy.cfg.example
@ -5,6 +5,7 @@
 # http_address = "127.0.0.1:4180"

 ## the OAuth Redirect URL.
+# defaults to the "https://" + requested host header + "/oauth2/callback"
 # redirect_url = "https://internalapp.yourcompany.com/oauth2/callback"

 ## the http url(s) of the upstream endpoint. If multiple, routing is based on path
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -98,7 +98,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 	if domain == "" {
 		domain = "<default>"
 	}
-	log.Printf("Cookie settings: https_only: %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain)
+	log.Printf("Cookie settings: https_only (SSL required): %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain)
 	return &OauthProxy{
 		CookieKey:       "_oauthproxy",
 		CookieSeed:      opts.CookieSecret,
@ -122,15 +122,33 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
 	}
 }

-func (p *OauthProxy) GetLoginURL(redirectUrl string) string {
+func (p *OauthProxy) GetRedirectUrl(host string) string {
+	// default to the request Host if not set
+	if p.redirectUrl.Host != "" {
+		return p.redirectUrl.String()
+	}
+	var u url.URL
+	u = *p.redirectUrl
+	if u.Scheme == "" {
+		if p.CookieHttpsOnly {
+			u.Scheme = "https"
+		} else {
+			u.Scheme = "http"
+		}
+	}
+	u.Host = host
+	return u.String()
+}
+
+func (p *OauthProxy) GetLoginURL(host, redirect string) string {
 	params := url.Values{}
-	params.Add("redirect_uri", p.redirectUrl.String())
+	params.Add("redirect_uri", p.GetRedirectUrl(host))
 	params.Add("approval_prompt", "force")
 	params.Add("scope", p.oauthScope)
 	params.Add("client_id", p.clientID)
 	params.Add("response_type", "code")
-	if strings.HasPrefix(redirectUrl, "/") {
-		params.Add("state", redirectUrl)
+	if strings.HasPrefix(redirect, "/") {
+		params.Add("state", redirect)
 	}
 	return fmt.Sprintf("%s?%s", p.oauthLoginUrl, params.Encode())
 }
@ -161,12 +179,12 @@ func (p *OauthProxy) displayCustomLoginForm() bool {
 	return p.HtpasswdFile != nil && p.DisplayHtpasswdForm
 }

-func (p *OauthProxy) redeemCode(code string) (string, string, error) {
+func (p *OauthProxy) redeemCode(host, code string) (string, string, error) {
 	if code == "" {
 		return "", "", errors.New("missing code")
 	}
 	params := url.Values{}
-	params.Add("redirect_uri", p.redirectUrl.String())
+	params.Add("redirect_uri", p.GetRedirectUrl(host))
 	params.Add("client_id", p.clientID)
 	params.Add("client_secret", p.clientSecret)
 	params.Add("code", code)
@ -370,7 +388,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			p.ErrorPage(rw, 500, "Internal Error", err.Error())
 			return
 		}
-		http.Redirect(rw, req, p.GetLoginURL(redirect), 302)
+		http.Redirect(rw, req, p.GetLoginURL(req.Host, redirect), 302)
 		return
 	}
 	if req.URL.Path == oauthCallbackPath {
@ -386,7 +404,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			return
 		}

-		_, email, err := p.redeemCode(req.Form.Get("code"))
+		_, email, err := p.redeemCode(req.Host, req.Form.Get("code"))
 		if err != nil {
 			log.Printf("%s error redeeming code %s", remoteAddr, err)
 			p.ErrorPage(rw, 500, "Internal Error", err.Error())
--- a/options.go
+++ b/options.go
@ -24,7 +24,7 @@ type Options struct {
 	CookieSecret    string        `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
 	CookieDomain    string        `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
 	CookieExpire    time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
-	CookieHttpsOnly bool          `flag:"cookie-https-only" cfg:"cookie_https_only"`
+	CookieHttpsOnly bool          `flag:"cookie-https-only" cfg:"cookie_https_only"` // set secure cookie flag
 	CookieHttpOnly  bool          `flag:"cookie-httponly" cfg:"cookie_httponly"`

 	Upstreams      []string `flag:"upstream" cfg:"upstreams"`