make redirect_uri optional

This commit is contained in:
Jehiah Czebotar 2015-03-17 16:25:19 -04:00
parent 748247dde1
commit ebae065b11
4 changed files with 30 additions and 12 deletions

View File

@ -117,7 +117,6 @@ The command line to run `google_auth_proxy` would look like this:
```bash ```bash
./google_auth_proxy \ ./google_auth_proxy \
--redirect-url="https://internal.yourcompany.com/oauth2/callback" \
--google-apps-domain="yourcompany.com" \ --google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \ --upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \ --cookie-secret=... \
@ -134,4 +133,4 @@ Google Auth Proxy responds directly to the following endpoints. All other endpoi
* /ping - returns an 200 OK response * /ping - returns an 200 OK response
* /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies) * /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
* /oauth2/start - a URL that will redirect to start the OAuth cycle * /oauth2/start - a URL that will redirect to start the OAuth cycle
* /oauth2/callback - the URL used at the end of the OAuth cycle * /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this ass the callback url.

View File

@ -5,6 +5,7 @@
# http_address = "127.0.0.1:4180" # http_address = "127.0.0.1:4180"
## the OAuth Redirect URL. ## the OAuth Redirect URL.
# defaults to the "https://" + requested host header + "/oauth2/callback"
# redirect_url = "https://internalapp.yourcompany.com/oauth2/callback" # redirect_url = "https://internalapp.yourcompany.com/oauth2/callback"
## the http url(s) of the upstream endpoint. If multiple, routing is based on path ## the http url(s) of the upstream endpoint. If multiple, routing is based on path

View File

@ -98,7 +98,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
if domain == "" { if domain == "" {
domain = "<default>" domain = "<default>"
} }
log.Printf("Cookie settings: https_only: %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain) log.Printf("Cookie settings: https_only (SSL required): %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain)
return &OauthProxy{ return &OauthProxy{
CookieKey: "_oauthproxy", CookieKey: "_oauthproxy",
CookieSeed: opts.CookieSecret, CookieSeed: opts.CookieSecret,
@ -122,15 +122,33 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
} }
} }
func (p *OauthProxy) GetLoginURL(redirectUrl string) string { func (p *OauthProxy) GetRedirectUrl(host string) string {
// default to the request Host if not set
if p.redirectUrl.Host != "" {
return p.redirectUrl.String()
}
var u url.URL
u = *p.redirectUrl
if u.Scheme == "" {
if p.CookieHttpsOnly {
u.Scheme = "https"
} else {
u.Scheme = "http"
}
}
u.Host = host
return u.String()
}
func (p *OauthProxy) GetLoginURL(host, redirect string) string {
params := url.Values{} params := url.Values{}
params.Add("redirect_uri", p.redirectUrl.String()) params.Add("redirect_uri", p.GetRedirectUrl(host))
params.Add("approval_prompt", "force") params.Add("approval_prompt", "force")
params.Add("scope", p.oauthScope) params.Add("scope", p.oauthScope)
params.Add("client_id", p.clientID) params.Add("client_id", p.clientID)
params.Add("response_type", "code") params.Add("response_type", "code")
if strings.HasPrefix(redirectUrl, "/") { if strings.HasPrefix(redirect, "/") {
params.Add("state", redirectUrl) params.Add("state", redirect)
} }
return fmt.Sprintf("%s?%s", p.oauthLoginUrl, params.Encode()) return fmt.Sprintf("%s?%s", p.oauthLoginUrl, params.Encode())
} }
@ -161,12 +179,12 @@ func (p *OauthProxy) displayCustomLoginForm() bool {
return p.HtpasswdFile != nil && p.DisplayHtpasswdForm return p.HtpasswdFile != nil && p.DisplayHtpasswdForm
} }
func (p *OauthProxy) redeemCode(code string) (string, string, error) { func (p *OauthProxy) redeemCode(host, code string) (string, string, error) {
if code == "" { if code == "" {
return "", "", errors.New("missing code") return "", "", errors.New("missing code")
} }
params := url.Values{} params := url.Values{}
params.Add("redirect_uri", p.redirectUrl.String()) params.Add("redirect_uri", p.GetRedirectUrl(host))
params.Add("client_id", p.clientID) params.Add("client_id", p.clientID)
params.Add("client_secret", p.clientSecret) params.Add("client_secret", p.clientSecret)
params.Add("code", code) params.Add("code", code)
@ -370,7 +388,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, 500, "Internal Error", err.Error())
return return
} }
http.Redirect(rw, req, p.GetLoginURL(redirect), 302) http.Redirect(rw, req, p.GetLoginURL(req.Host, redirect), 302)
return return
} }
if req.URL.Path == oauthCallbackPath { if req.URL.Path == oauthCallbackPath {
@ -386,7 +404,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
return return
} }
_, email, err := p.redeemCode(req.Form.Get("code")) _, email, err := p.redeemCode(req.Host, req.Form.Get("code"))
if err != nil { if err != nil {
log.Printf("%s error redeeming code %s", remoteAddr, err) log.Printf("%s error redeeming code %s", remoteAddr, err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, 500, "Internal Error", err.Error())

View File

@ -24,7 +24,7 @@ type Options struct {
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"` CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"` CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // set secure cookie flag
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
Upstreams []string `flag:"upstream" cfg:"upstreams"` Upstreams []string `flag:"upstream" cfg:"upstreams"`