mirror of
https://github.com/goauthentik/authentik
synced 2026-04-27 09:57:31 +02:00
6dde8bdd4a
* wip Co-authored-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> * remove testing files * a * wip * pls * pls2 * a * Update authentik/providers/proxy/models.py Co-authored-by: Jens L. <jens@beryju.org> Signed-off-by: Dominic R <dominic@sdko.org> * makemigrations * pls * pls1000 * dont migrate in go Signed-off-by: Jens Langhammer <jens@goauthentik.io> * set uuid Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix more test cases Signed-off-by: Jens Langhammer <jens@goauthentik.io> * better logging Signed-off-by: Jens Langhammer <jens@goauthentik.io> * set gorm nowfunc (gorm defaults to local time) Signed-off-by: Jens Langhammer <jens@goauthentik.io> * improve test db closing Signed-off-by: Jens Langhammer <jens@goauthentik.io> * move expiration to field Signed-off-by: Jens Langhammer <jens@goauthentik.io> * dont' manually set table Signed-off-by: Jens Langhammer <jens@goauthentik.io> * refactor tests more Signed-off-by: Jens Langhammer <jens@goauthentik.io> * more refactor Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix em Signed-off-by: Jens Langhammer <jens@goauthentik.io> * postgres cleanup is done by worker Signed-off-by: Jens Langhammer <jens@goauthentik.io> * update expiry and set expiring Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Signed-off-by: Dominic R <dominic@sdko.org> Co-authored-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L. <jens@beryju.org>
62 lines
1.7 KiB
Go
62 lines
1.7 KiB
Go
package application
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"goauthentik.io/internal/outpost/proxyv2/constants"
|
|
"goauthentik.io/internal/outpost/proxyv2/types"
|
|
)
|
|
|
|
func (a *Application) checkAuthHeaderBearer(r *http.Request) string {
|
|
auth := r.Header.Get(constants.HeaderAuthorization)
|
|
if auth == "" {
|
|
return ""
|
|
}
|
|
if len(auth) < len(constants.AuthBearer) || !strings.EqualFold(auth[:len(constants.AuthBearer)], constants.AuthBearer) {
|
|
return ""
|
|
}
|
|
return auth[len(constants.AuthBearer):]
|
|
}
|
|
|
|
type TokenIntrospectionResponse struct {
|
|
types.Claims
|
|
Scope string `json:"scope"`
|
|
Active bool `json:"active"`
|
|
ClientID string `json:"client_id"`
|
|
}
|
|
|
|
func (a *Application) attemptBearerAuth(token string) *TokenIntrospectionResponse {
|
|
values := url.Values{
|
|
"client_id": []string{a.oauthConfig.ClientID},
|
|
"client_secret": []string{a.oauthConfig.ClientSecret},
|
|
"token": []string{token},
|
|
}
|
|
req, err := http.NewRequest("POST", a.endpoint.TokenIntrospection, strings.NewReader(values.Encode()))
|
|
if err != nil {
|
|
a.log.WithError(err).Warning("failed to create introspection request")
|
|
return nil
|
|
}
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
res, err := a.publicHostHTTPClient.Do(req)
|
|
if err != nil || res.StatusCode > 200 {
|
|
a.log.WithError(err).Warning("failed to send introspection request")
|
|
return nil
|
|
}
|
|
intro := TokenIntrospectionResponse{}
|
|
err = json.NewDecoder(res.Body).Decode(&intro)
|
|
if err != nil {
|
|
a.log.WithError(err).Warning("failed to parse introspection response")
|
|
return nil
|
|
}
|
|
if !intro.Active {
|
|
a.log.Warning("token is not active")
|
|
return nil
|
|
}
|
|
intro.RawToken = token
|
|
a.log.Trace("successfully introspected bearer token")
|
|
return &intro
|
|
}
|