fix(auth): allow authorization for Github and OIDC behind the reverse

proxy Signed-off-by: Roman Dmytrenko <[email protected]>
flipt-io · May 29, 2024 · 24ded33 · 24ded33
1 parent 985491c
commit 24ded33
Show file tree

Hide file tree

Showing 11 changed files with 70 additions and 42 deletions.
diff --git a/examples/proxy/nginx.conf b/examples/proxy/nginx.conf
@@ -10,6 +10,7 @@ server {
         proxy_set_header   Host             $host;
         proxy_set_header   X-Real-IP        $remote_addr;
         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Prefix /flipt;
         proxy_buffering on;
 
         # rewrite

diff --git a/internal/cmd/authn.go b/internal/cmd/authn.go
@@ -333,7 +333,7 @@ func authenticationHTTPMount(
 	}
 
 	if cfg.SessionEnabled() {
-		muxOpts = append(muxOpts, runtime.WithMetadata(method.ForwardCookies))
+		muxOpts = append(muxOpts, runtime.WithMetadata(method.ForwardCookies), runtime.WithMetadata(method.ForwardPrefix))
 
 		methodMiddleware := method.NewHTTPMiddleware(cfg.Session)
 		muxOpts = append(muxOpts, runtime.WithForwardResponseOption(methodMiddleware.ForwardResponseOption))

diff --git a/internal/config/authentication.go b/internal/config/authentication.go
@@ -441,10 +441,7 @@ func (a AuthenticationMethodOIDCConfig) info() AuthenticationMethodInfo {
 	// this ensures we expose the authorize and callback URL endpoint
 	// to the UI via the /auth/v1/method endpoint
 	for provider := range a.Providers {
-		providers[provider] = map[string]any{
-			"authorize_url": fmt.Sprintf("/auth/v1/method/oidc/%s/authorize", provider),
-			"callback_url":  fmt.Sprintf("/auth/v1/method/oidc/%s/callback", provider),
-		}
+		providers[provider] = map[string]any{}
 	}
 
 	metadata["providers"] = providers
@@ -552,9 +549,6 @@ func (a AuthenticationMethodGithubConfig) info() AuthenticationMethodInfo {
 
 	metadata := make(map[string]any)
 
-	metadata["authorize_url"] = "/auth/v1/method/github/authorize"
-	metadata["callback_url"] = "/auth/v1/method/github/callback"
-
 	info.Metadata, _ = structpb.NewStruct(metadata)
 
 	return info

diff --git a/internal/server/authn/method/http.go b/internal/server/authn/method/http.go
@@ -16,11 +16,13 @@ import (
 	"google.golang.org/protobuf/proto"
 )
 
-var (
-	githubPrefix   = "/auth/v1/method/github"
-	oidcPrefix     = "/auth/v1/method/oidc/"
-	stateCookieKey = "flipt_client_state"
-	tokenCookieKey = "flipt_client_token"
+const (
+	githubPrefix       = "/auth/v1/method/github"
+	oidcPrefix         = "/auth/v1/method/oidc/"
+	stateCookieKey     = "flipt_client_state"
+	tokenCookieKey     = "flipt_client_token"
+	forwardedPrefixKey = "x-forwarded-prefix"
+	xForwardedPrefix   = "X-Forwarded-Prefix"
 )
 
 // Middleware contains various extensions for appropriate integration of the OIDC services
@@ -53,6 +55,17 @@ func ForwardCookies(ctx context.Context, req *http.Request) metadata.MD {
 	return md
 }
 
+// ForwardPrefix extracts the "X-Forwarded-Prefix" header from an HTTP request
+// and forwards them as grpc metadata entries.
+func ForwardPrefix(ctx context.Context, req *http.Request) metadata.MD {
+	md := metadata.MD{}
+	values := req.Header.Values(xForwardedPrefix)
+	if len(values) > 0 {
+		md[forwardedPrefixKey] = values
+	}
+	return md
+}
+
 // ForwardResponseOption is a grpc gateway forward response option function implementation.
 // The purpose of which is to intercept outgoing Callback operation responses.
 // When intercepted the resulting clientToken is stripped from the response payload and instead
@@ -77,8 +90,11 @@ func (m Middleware) ForwardResponseOption(ctx context.Context, w http.ResponseWr
 
 		// clear out token now that it is set via cookie
 		r.ClientToken = ""
-
-		w.Header().Set("Location", "/")
+		location := "/"
+		if md, ok := metadata.FromOutgoingContext(ctx); ok {
+			location = path.Join(md.Get(forwardedPrefixKey)...) + "/"
+		}
+		w.Header().Set("Location", location)
 		w.WriteHeader(http.StatusFound)
 	}
 
@@ -101,6 +117,7 @@ func (m Middleware) Handler(next http.Handler) http.Handler {
 		}
 
 		if method == "authorize" {
+			prefix = path.Join(r.Header.Get(xForwardedPrefix), prefix)
 			query := r.URL.Query()
 			// create a random security token and bind it to
 			// the state parameter while preserving any provided
@@ -130,7 +147,7 @@ func (m Middleware) Handler(next http.Handler) http.Handler {
 				Name:  stateCookieKey,
 				Value: encoded,
 				// bind state cookie to provider callback
-				Path:     prefix + "callback",
+				Path:     prefix + "/callback",
 				Expires:  time.Now().Add(m.config.StateLifetime),
 				Secure:   m.config.Secure,
 				HttpOnly: true,

diff --git a/internal/server/authn/method/http_test.go b/internal/server/authn/method/http_test.go
@@ -0,0 +1,30 @@
+package method
+
+import (
+	"context"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestForwardPrefix(t *testing.T) {
+	tests := []struct {
+		name     string
+		headers  map[string]string
+		expected []string
+	}{
+		{"forward", map[string]string{"X-Forwarded-Prefix": "/my-prefix"}, []string{"/my-prefix"}},
+		{"none", map[string]string{}, nil},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest("GET", "http://example.com/foo", nil)
+			for k, v := range tt.headers {
+				req.Header.Add(k, v)
+			}
+			md := ForwardPrefix(context.Background(), req)
+			assert.Equal(t, tt.expected, md.Get(forwardedPrefixKey))
+		})
+	}
+}
diff --git a/internal/server/authn/method/oidc/testing/http.go b/internal/server/authn/method/oidc/testing/http.go
@@ -36,6 +36,7 @@ func StartHTTPServer(
 		mux            = gateway.NewGatewayServeMux(
 			logger,
 			runtime.WithMetadata(method.ForwardCookies),
+			runtime.WithMetadata(method.ForwardPrefix),
 			runtime.WithForwardResponseOption(oidcmiddleware.ForwardResponseOption),
 		)
 	)

diff --git a/ui/src/app/auth/Login.tsx b/ui/src/app/auth/Login.tsx
@@ -13,6 +13,7 @@ import logoFlag from '~/assets/logo-flag.png';
 import Loading from '~/components/Loading';
 import { NotificationProvider } from '~/components/NotificationProvider';
 import ErrorNotification from '~/components/notifications/ErrorNotification';
+import { authURL } from '~/data/api';
 import { useError } from '~/data/hooks/error';
 import { useSession } from '~/data/hooks/session';
 import { IAuthMethod } from '~/types/Auth';
@@ -26,7 +27,6 @@ interface ILoginProvider {
 interface IAuthDisplay {
   name: string;
   authorize_url: string;
-  callback_url: string;
   icon: IconDefinition;
 }
 
@@ -93,23 +93,17 @@ function InnerLoginButtons() {
         if (m.method === 'METHOD_GITHUB') {
           return {
             name: 'Github',
-            authorize_url: m.metadata.authorize_url,
-            callback_url: m.metadata.callback_url,
+            authorize_url: `${authURL}/method/github/authorize`,
             icon: faGithub
           };
         }
         if (m.method === 'METHOD_OIDC') {
-          return Object.entries(m.metadata.providers).map(([k, value]) => {
-            k = k.toLowerCase();
-            const v = value as {
-              authorize_url: string;
-              callback_url: string;
-            };
+          return Object.keys(m.metadata.providers).map((k) => {
+            const kl = k.toLowerCase();
             return {
-              name: knownProviders[k]?.displayName || upperFirst(k), // if we dont know the provider, just capitalize the first letter
-              authorize_url: v.authorize_url,
-              callback_url: v.callback_url,
-              icon: knownProviders[k]?.icon || faOpenid // if we dont know the provider icon, use the openid icon
+              name: knownProviders[kl]?.displayName || upperFirst(kl), // if we dont know the provider, just capitalize the first letter
+              authorize_url: `${authURL}/method/oidc/${k}/authorize`,
+              icon: knownProviders[kl]?.icon || faOpenid // if we dont know the provider icon, use the openid icon
             };
           });
         }

diff --git a/ui/src/components/header/UserProfile.tsx b/ui/src/components/header/UserProfile.tsx
@@ -21,7 +21,7 @@ export default function UserProfile(props: UserProfileProps) {
   let name: string | undefined;
   let login: string | undefined;
   let imgURL: string | undefined;
-  let logoutURL = '/';
+  let logoutURL = '';
 
   if (session) {
     const authMethods = ['github', 'oidc', 'jwt'];

diff --git a/ui/src/types/auth/Github.ts b/ui/src/types/auth/Github.ts
@@ -2,10 +2,7 @@ import { IAuth, IAuthMethod } from '~/types/Auth';
 
 export interface IAuthMethodGithub extends IAuthMethod {
   method: 'METHOD_GITHUB';
-  metadata: {
-    authorize_url: string;
-    callback_url: string;
-  };
+  metadata: {};
 }
 
 export interface IAuthMethodGithubMetadata {

diff --git a/ui/src/types/auth/JWT.ts b/ui/src/types/auth/JWT.ts
@@ -2,10 +2,7 @@ import { IAuth, IAuthMethod } from '~/types/Auth';
 
 export interface IAuthMethodJWT extends IAuthMethod {
   method: 'METHOD_JWT';
-  metadata: {
-    authorize_url: string;
-    callback_url: string;
-  };
+  metadata: {};
 }
 
 export interface IAuthMethodJWTMetadata {

diff --git a/ui/src/types/auth/OIDC.ts b/ui/src/types/auth/OIDC.ts
@@ -1,9 +1,6 @@
 import { IAuth, IAuthMethod } from '~/types/Auth';
 
-interface AuthMethodOIDCMetadataProvider {
-  authorize_url: string;
-  callback_url: string;
-}
+interface AuthMethodOIDCMetadataProvider {}
 
 export interface IAuthMethodOIDC extends IAuthMethod {
   method: 'METHOD_OIDC';