fix OIDC middleware not working with Authentik

2025-06-01 09:32:35 +02:00 · 2025-01-14 12:59:48 +08:00 · 2025-01-14 12:59:48 +08:00 · 7a7c4be9fa
commit 7a7c4be9fa
parent b359543434
2 changed files with 12 additions and 7 deletions
--- a/internal/api/v1/auth/oidc.go
+++ b/internal/api/v1/auth/oidc.go
@ -76,9 +76,6 @@ func (auth *OIDCProvider) TokenCookieName() string {

 func (auth *OIDCProvider) SetIsMiddleware(enabled bool) {
 	auth.isMiddleware = enabled
-	if auth.isMiddleware {
-		auth.oauthConfig.RedirectURL = OIDCMiddlewareCallbackPath
-	}
 }

 func (auth *OIDCProvider) SetAllowedUsers(users []string) {
@ -152,13 +149,22 @@ func (auth *OIDCProvider) RedirectLoginPage(w http.ResponseWriter, r *http.Reque
 			return
 		}
 		q := u.Query()
-		q.Set("redirect_uri", "https://"+r.Host+q.Get("redirect_uri"))
+		q.Set("redirect_uri", "https://"+r.Host+OIDCMiddlewareCallbackPath+q.Get("redirect_uri"))
 		u.RawQuery = q.Encode()
 		redirURL = u.String()
 	}
 	http.Redirect(w, r, redirURL, http.StatusTemporaryRedirect)
 }

+func (auth *OIDCProvider) exchange(r *http.Request) (*oauth2.Token, error) {
+	if auth.isMiddleware {
+		cfg := *auth.oauthConfig
+		cfg.RedirectURL = "https://" + r.Host + OIDCMiddlewareCallbackPath
+		return cfg.Exchange(r.Context(), r.URL.Query().Get("code"))
+	}
+	return auth.oauthConfig.Exchange(r.Context(), r.URL.Query().Get("code"))
+}
+
 // OIDCCallbackHandler handles the OIDC callback.
 func (auth *OIDCProvider) LoginCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	// For testing purposes, skip provider verification
@ -179,8 +185,7 @@ func (auth *OIDCProvider) LoginCallbackHandler(w http.ResponseWriter, r *http.Re
 		return
 	}

-	code := query.Get("code")
-	oauth2Token, err := auth.oauthConfig.Exchange(r.Context(), code)
+	oauth2Token, err := auth.exchange(r)
 	if err != nil {
 		U.HandleErr(w, r, fmt.Errorf("failed to exchange token: %w", err), http.StatusInternalServerError)
 		return
--- a/internal/net/http/middleware/oidc.go
+++ b/internal/net/http/middleware/oidc.go
@ -19,7 +19,7 @@ var OIDC = NewMiddleware[oidcMiddleware]()

 func (amw *oidcMiddleware) finalize() error {
 	if !auth.IsOIDCEnabled() {
-		return E.New("OIDC not enabled but Auth middleware is used")
+		return E.New("OIDC not enabled but ODIC middleware is used")
 	}
 	authProvider, err := auth.NewOIDCProviderFromEnv()
 	if err != nil {