Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

providers/proxy: fix handling of AUTHENTIK_HOST_BROWSER #11722

Merged

Conversation

chrootlogin
Copy link
Contributor

@chrootlogin chrootlogin commented Oct 18, 2024

Details

This PR fixes the incorrect handling of the AUTHENTIK_HOST_BROWSER environment variable. When this variable is set, the OIDC issuer is now also adjusted to prevent the error: “oidc: id token issued by a different provider”.

This change is necessary because Authentik, as the OIDC issuer, uses the public browser URL for token issuance, but within environments like Kubernetes, the internal cluster URL is typically used. Therefore, the token must be validated against the public URL, not the internal one.

Rationale

The current behavior leads to mismatched issuer validation when tokens are issued by the public URL but verified using the internal URL. This PR addresses this by ensuring the issuer is correctly set based on the AUTHENTIK_HOST_BROWSER value.

Linked Issues

Closes #9622, #4688, #6476.


Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make website)

@chrootlogin chrootlogin requested a review from a team as a code owner October 18, 2024 10:36
Copy link

netlify bot commented Oct 18, 2024

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 1c474a2
🔍 Latest deploy log https://app.netlify.com/sites/authentik-docs/deploys/67192bf8dd4b3c0008740e67
😎 Deploy Preview https://deploy-preview-11722--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

Copy link

netlify bot commented Oct 18, 2024

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 1c474a2
🔍 Latest deploy log https://app.netlify.com/sites/authentik-storybook/deploys/67192bf7f21c410008aedcf9
😎 Deploy Preview https://deploy-preview-11722--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@BeryJu BeryJu changed the title providers/proxy: fix handling of AUTHENTIK_HOST_BROWSER (#9622/#4688/#6476) providers/proxy: fix handling of AUTHENTIK_HOST_BROWSER Oct 18, 2024
Copy link

codecov bot commented Oct 18, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.56%. Comparing base (b57df12) to head (1c474a2).
Report is 55 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main   #11722      +/-   ##
==========================================
- Coverage   92.70%   92.56%   -0.15%     
==========================================
  Files         739      760      +21     
  Lines       36747    37714     +967     
==========================================
+ Hits        34067    34909     +842     
- Misses       2680     2805     +125     
Flag Coverage Δ
e2e 49.16% <ø> (-0.16%) ⬇️
integration 24.93% <ø> (-0.03%) ⬇️
unit 90.13% <ø> (-0.10%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@BeryJu BeryJu added this to the Release 2024.8.4 milestone Oct 18, 2024
@BeryJu
Copy link
Member

BeryJu commented Oct 23, 2024

thanks for the PR @chrootlogin! could you update the tests with this new logic?

@chrootlogin
Copy link
Contributor Author

Yes, i will take a look into it!

@BeryJu BeryJu merged commit f482937 into goauthentik:main Oct 24, 2024
65 checks passed
@chrootlogin chrootlogin deleted the bugfix/9622-fix-hostBrowser-handling branch October 24, 2024 15:24
kensternberg-authentik added a commit that referenced this pull request Oct 29, 2024
* main: (22 commits)
  lifecycle: fix missing krb5 deps for full testing in image (#11815)
  translate: Updates for file web/xliff/en.xlf in zh-Hans (#11810)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh-Hans (#11809)
  translate: Updates for file locale/en/LC_MESSAGES/django.po in zh_CN (#11808)
  web: bump API Client version (#11807)
  core: bump goauthentik.io/api/v3 from 3.2024083.12 to 3.2024083.13 (#11806)
  core: bump ruff from 0.7.0 to 0.7.1 (#11805)
  core: bump twilio from 9.3.4 to 9.3.5 (#11804)
  core, web: update translations (#11803)
  providers/scim: handle no members in group in consistency check (#11801)
  stages/identification: add captcha to identification stage (#11711)
  website/docs: improve root page and redirect (#11798)
  providers/scim: clamp batch size for patch requests (#11797)
  web/admin: fix missing div in wizard forms (#11794)
  providers/proxy: fix handling of AUTHENTIK_HOST_BROWSER (#11722)
  core, web: update translations (#11789)
  core: bump goauthentik.io/api/v3 from 3.2024083.11 to 3.2024083.12 (#11790)
  core: bump gssapi from 1.8.3 to 1.9.0 (#11791)
  web: bump API Client version (#11792)
  stages/authenticator_validate: autoselect last used 2fa device (#11087)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ID token issued by a different provider - Error 404
2 participants