Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML and OAuth2/OIDC AC with relative callback URLs #265

Merged
merged 4 commits into from
Aug 3, 2021
Merged

SAML and OAuth2/OIDC AC with relative callback URLs #265

merged 4 commits into from
Aug 3, 2021

Conversation

johakoch
Copy link
Collaborator

No description provided.

johakoch
johakoch commented Jun 30, 2021
View reviewed changes
eval/lib/saml.go Outdated Show resolved Hide resolved
@johakoch johakoch changed the title SAML/OIDC with relative URLs SAML / OAuth2 AC with relative URLs Jun 30, 2021
@johakoch
Copy link
Collaborator Author

We want to be able to use relative URL references as callback URIs for SAML SSO and OAuth2 Authorization Code Flow:

  saml "SSO" {
    sp_acs_url = "/saml/acs"
    ...
  }

and

  beta_oauth2 "google" {
    redirect_uri = "/oidc/cb"
    ...
  }

The relative URL references are resolved against the current request URL origin (use accept_forwarded_url setting or equivalent run option or env var to change the origin according to X-Fowarded-* request headers).

Note: This only works if the URLs of both the endpoint where the URL creating function (saml_sso_url() / beta_oauth_authorization_url()) is used and of the callback endpoint share the same origin. So the following will not work because the ports are not the same:

server "a" {
  hosts = [ "*:8080" ]
  endpoint "/oidc/start" {
    ... "...beta_oauth_authorization_url("oidc")..." # redirect_uri is http://localhost:8080/oidc/cb
    ...
  }
}
server "b" {
  hosts = [ "*:9000" ]
  endpoint "/oidc/cb" {
    access_control = [ "oidc" ] # redirect_uri is http://localhost:9000/oidc/cb
    ...
  }
}
definitions {
  beta_oauth2 "oidc" {
    redirect_uri = "/oidc/cb"
    ...
  }
}

@johakoch johakoch changed the title SAML / OAuth2 AC with relative URLs SAML and OAuth2/OIDC AC with relative URLs Jul 30, 2021
@johakoch johakoch changed the title SAML and OAuth2/OIDC AC with relative URLs SAML and OAuth2/OIDC AC with relative callback URLs Jul 30, 2021
@johakoch johakoch marked this pull request as ready for review July 30, 2021 14:02
Simplify else statement
c2a1a89 
conf formatting
method rename
@malud malud merged commit 7e9ef89 into master Aug 3, 2021
@malud malud deleted the saml-oidc-relative-urls branch August 3, 2021 09:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@afflerbach afflerbach afflerbach left review comments

@malud malud malud approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@johakoch @afflerbach @malud