sinjuginas/oauth2-proxy
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #1045 from oauth2-proxy/fix-missing-redirect-scheme

Browse Source 
Ensure redirect URI always has a scheme
This commit is contained in:
Joel Speed 2021-03-14 16:06:07 +00:00 committed by GitHub
commit 20cf033065
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -8,6 +8,7 @@
## Changes since v7.0.1
- [#1045](https://github.com/oauth2-proxy/oauth2-proxy/pull/1045) Ensure redirect URI always has a scheme (@JoelSpeed)
- [#914](https://github.com/oauth2-proxy/oauth2-proxy/pull/914) Extract email from id_token for azure provider when oidc is configured
- [#1047](https://github.com/oauth2-proxy/oauth2-proxy/pull/1047) Refactor HTTP Server and add ServerGroup to handle graceful shutdown of multiple servers (@JoelSpeed)
- [#1070](https://github.com/oauth2-proxy/oauth2-proxy/pull/1070) Refactor logging middleware to middleware package (@NickMeves)

6
oauthproxy.go
View File

@ -35,6 +35,7 @@ import (
)
const (
schemeHTTP = "http"
schemeHTTPS = "https"
applicationJSON = "application/json"
)
@ -971,6 +972,11 @@ func (p *OAuthProxy) getOAuthRedirectURI(req *http.Request) string {
rd.Host = requestutil.GetRequestHost(req)
rd.Scheme = requestutil.GetRequestProto(req)
// If there's no scheme in the request, we should still include one
if rd.Scheme == "" {
rd.Scheme = schemeHTTP
}
// If CookieSecure is true, return `https` no matter what
// Not all reverse proxies set X-Forwarded-Proto
if p.CookieSecure {

8
pkg/validation/options.go
View File

@ -30,6 +30,8 @@ func Validate(o *options.Options) error {
msgs = append(msgs, validateRedisSessionStore(o)...)
msgs = append(msgs, prefixValues("injectRequestHeaders: ", validateHeaders(o.InjectRequestHeaders)...)...)
msgs = append(msgs, prefixValues("injectResponseHeaders: ", validateHeaders(o.InjectResponseHeaders)...)...)
msgs = parseSignatureKey(o, msgs)
msgs = configureLogger(o.Logging, msgs)
if o.SSLInsecureSkipVerify {
// InsecureSkipVerify is a configurable option we allow
@ -175,6 +177,9 @@ func Validate(o *options.Options) error {
var redirectURL *url.URL
redirectURL, msgs = parseURL(o.RawRedirectURL, "redirect", msgs)
o.SetRedirectURL(redirectURL)
if o.RawRedirectURL == "" && !o.Cookie.Secure && !o.ReverseProxy {
logger.Print("WARNING: no explicit redirect URL: redirects will default to insecure HTTP")
}
msgs = append(msgs, validateUpstreams(o.UpstreamServers)...)
msgs = parseProviderInfo(o, msgs)
@ -191,9 +196,6 @@ func Validate(o *options.Options) error {
}
}
msgs = parseSignatureKey(o, msgs)
msgs = configureLogger(o.Logging, msgs)
if o.ReverseProxy {
parser, err := ip.GetRealClientIPParser(o.RealClientIPHeader)
if err != nil {