Make redirect url configurable (#50)

mbilski · web-flow · commit 2c19376f6f3e · 2023-03-21T13:30:58.000+01:00
diff --git a/README.md b/README.md
@@ -80,6 +80,7 @@ The available flags are:
       --par                         enable pushed authorization requests (PAR)
       --password string             resource owner password credentials grant flow password
       --pkce                        enable proof key for code exchange (PKCE)
+      --redirect-url string         client redirect url (default "http://localhost:9876/callback")
       --refresh-token string        refresh token
       --request-object              pass request parameters as jwt
       --response-mode string        response mode
diff --git a/cmd/oauth2.go b/cmd/oauth2.go
@@ -18,10 +18,6 @@ import (
 	"github.com/spf13/cobra"
 )
 
-const (
-	addr = "localhost:9876"
-)
-
 var (
 	silent bool
 )
@@ -45,6 +41,7 @@ func NewOAuth2Cmd() (cmd *OAuth2Cmd) {
 
 	cmd.AddCommand(versionCmd)
 
+	cmd.PersistentFlags().StringVar(&cconfig.RedirectURL, "redirect-url", "http://localhost:9876/callback", "client redirect url")
 	cmd.PersistentFlags().StringVar(&cconfig.ClientID, "client-id", "", "client identifier")
 	cmd.PersistentFlags().StringVar(&cconfig.ClientSecret, "client-secret", "", "client secret")
 	cmd.PersistentFlags().StringVar(&cconfig.GrantType, "grant-type", "", "grant type")
diff --git a/cmd/oauth2_authorize_code.go b/cmd/oauth2_authorize_code.go
@@ -25,7 +25,7 @@ func (c *OAuth2Cmd) AuthorizationCodeGrantFlow(clientConfig oauth2.ClientConfig,
 	if clientConfig.PAR {
 		LogSection("Request PAR")
 
-		if parRequest, parResponse, authorizeRequest, codeVerifier, err = oauth2.RequestPAR(context.Background(), addr, clientConfig, serverConfig, hc); err != nil {
+		if parRequest, parResponse, authorizeRequest, codeVerifier, err = oauth2.RequestPAR(context.Background(), clientConfig, serverConfig, hc); err != nil {
 			LogRequestAndResponseln(parRequest, err)
 			return err
 		}
@@ -41,7 +41,7 @@ func (c *OAuth2Cmd) AuthorizationCodeGrantFlow(clientConfig oauth2.ClientConfig,
 	} else {
 		LogSection("Request authorization")
 
-		if authorizeRequest, codeVerifier, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig, hc); err != nil {
+		if authorizeRequest, codeVerifier, err = oauth2.RequestAuthorization(clientConfig, serverConfig, hc); err != nil {
 			return err
 		}
 
@@ -65,7 +65,7 @@ func (c *OAuth2Cmd) AuthorizationCodeGrantFlow(clientConfig oauth2.ClientConfig,
 	// callback
 	callbackStatus := LogAction("Waiting for callback. Go to the browser to authenticate...")
 
-	if callbackRequest, err = oauth2.WaitForCallback(clientConfig, serverConfig, addr, hc); err != nil {
+	if callbackRequest, err = oauth2.WaitForCallback(clientConfig, serverConfig, hc); err != nil {
 		LogRequestln(callbackRequest)
 		return err
 	}
@@ -87,7 +87,7 @@ func (c *OAuth2Cmd) AuthorizationCodeGrantFlow(clientConfig oauth2.ClientConfig,
 		serverConfig,
 		hc,
 		oauth2.WithAuthorizationCode(callbackRequest.Get("code")),
-		oauth2.WithRedirectURL("http://"+addr+"/callback"),
+		oauth2.WithRedirectURL(clientConfig.RedirectURL),
 		oauth2.WithCodeVerifier(codeVerifier),
 	); err != nil {
 		LogRequestAndResponseln(tokenRequest, err)
diff --git a/cmd/oauth2_implicit.go b/cmd/oauth2_implicit.go
@@ -19,7 +19,7 @@ func (c *OAuth2Cmd) ImplicitGrantFlow(clientConfig oauth2.ClientConfig, serverCo
 	// authorize endpoint
 	LogSection("Request authorization")
 
-	if authorizeRequest, _, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig, hc); err != nil {
+	if authorizeRequest, _, err = oauth2.RequestAuthorization(clientConfig, serverConfig, hc); err != nil {
 		return err
 	}
 
@@ -36,7 +36,7 @@ func (c *OAuth2Cmd) ImplicitGrantFlow(clientConfig oauth2.ClientConfig, serverCo
 	// callback
 	callbackStatus := LogAction("Waiting for callback. Go to the browser to authenticate...")
 
-	if callbackRequest, err = oauth2.WaitForCallback(clientConfig, serverConfig, addr, hc); err != nil {
+	if callbackRequest, err = oauth2.WaitForCallback(clientConfig, serverConfig, hc); err != nil {
 		LogRequestln(callbackRequest)
 		return err
 	}
diff --git a/internal/oauth2/oauth2.go b/internal/oauth2/oauth2.go
@@ -55,6 +55,7 @@ var CodeChallengeEncoder = base64.RawURLEncoding
 
 type ClientConfig struct {
 	IssuerURL              string
+	RedirectURL            string
 	GrantType              string
 	ClientID               string
 	ClientSecret           string
@@ -85,12 +86,12 @@ type ClientConfig struct {
 	TLSRootCA              string
 }
 
-func RequestAuthorization(addr string, cconfig ClientConfig, sconfig ServerConfig, hc *http.Client) (r Request, codeVerifier string, err error) {
+func RequestAuthorization(cconfig ClientConfig, sconfig ServerConfig, hc *http.Client) (r Request, codeVerifier string, err error) {
 	if r.URL, err = url.Parse(sconfig.AuthorizationEndpoint); err != nil {
 		return r, "", errors.Wrapf(err, "failed to parse authorization endpoint")
 	}
 
-	if codeVerifier, err = r.AuthorizeRequest(addr, cconfig, sconfig, hc); err != nil {
+	if codeVerifier, err = r.AuthorizeRequest(cconfig, sconfig, hc); err != nil {
 		return r, "", errors.Wrapf(err, "failed to create authorization request")
 	}
 
@@ -108,7 +109,6 @@ type PARResponse struct {
 
 func RequestPAR(
 	ctx context.Context,
-	addr string,
 	cconfig ClientConfig,
 	sconfig ServerConfig,
 	hc *http.Client,
@@ -120,7 +120,7 @@ func RequestPAR(
 	)
 
 	// push authorization request to /par
-	if codeVerifier, err = parRequest.AuthorizeRequest(addr, cconfig, sconfig, hc); err != nil {
+	if codeVerifier, err = parRequest.AuthorizeRequest(cconfig, sconfig, hc); err != nil {
 		return parRequest, parResponse, authorizeRequest, "", errors.Wrapf(err, "failed to create authorization request")
 	}
 
@@ -183,14 +183,19 @@ func RequestPAR(
 	return parRequest, parResponse, authorizeRequest, codeVerifier, nil
 }
 
-func WaitForCallback(clientConfig ClientConfig, serverConfig ServerConfig, addr string, hc *http.Client) (request Request, err error) {
+func WaitForCallback(clientConfig ClientConfig, serverConfig ServerConfig, hc *http.Client) (request Request, err error) {
 	var (
-		srv           = http.Server{Addr: addr}
+		srv           = http.Server{}
+		redirectURL   *url.URL
 		signingKey    jose.JSONWebKey
 		encryptionKey jose.JSONWebKey
 		done          = make(chan struct{})
 	)
 
+	if redirectURL, err = url.Parse(clientConfig.RedirectURL); err != nil {
+		return request, errors.Wrapf(err, "failed to parse redirect url: %s", clientConfig.RedirectURL)
+	}
+
 	if signingKey, err = ReadKey(SigningKey, serverConfig.JWKsURI, hc); err != nil {
 		return request, errors.Wrapf(err, "failed to read signing key from %s", serverConfig.JWKsURI)
 	}
@@ -201,7 +206,9 @@ func WaitForCallback(clientConfig ClientConfig, serverConfig ServerConfig, addr
 		}
 	}
 
-	http.HandleFunc("/callback", func(w http.ResponseWriter, r *http.Request) {
+	srv.Addr = redirectURL.Host
+
+	http.HandleFunc(redirectURL.Path, func(w http.ResponseWriter, r *http.Request) {
 		defer func() {
 			time.AfterFunc(time.Second, func() {
 				if err := srv.Shutdown(context.Background()); err != nil {
diff --git a/internal/oauth2/request.go b/internal/oauth2/request.go
@@ -26,14 +26,13 @@ type Request struct {
 }
 
 func (r *Request) AuthorizeRequest(
-	addr string,
 	cconfig ClientConfig,
 	sconfig ServerConfig,
 	hc *http.Client,
 ) (codeVerifier string, err error) {
 	r.Form = url.Values{
 		"client_id":    {cconfig.ClientID},
-		"redirect_uri": {"http://" + addr + "/callback"},
+		"redirect_uri": {cconfig.RedirectURL},
 		"state":        {shortuuid.New()},
 		"nonce":        {shortuuid.New()},
 	}

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ func (c *OAuth2Cmd) ImplicitGrantFlow(clientConfig oauth2.ClientConfig, serverCo`
`19`	`19`	`// authorize endpoint`
`20`	`20`	`LogSection("Request authorization")`
`21`	`21`
`22`		`- if authorizeRequest, _, err = oauth2.RequestAuthorization(addr, clientConfig, serverConfig, hc); err != nil {`
	`22`	`+ if authorizeRequest, _, err = oauth2.RequestAuthorization(clientConfig, serverConfig, hc); err != nil {`
`23`	`23`	`return err`
`24`	`24`	`}`
`25`	`25`
`@@ -36,7 +36,7 @@ func (c *OAuth2Cmd) ImplicitGrantFlow(clientConfig oauth2.ClientConfig, serverCo`
`36`	`36`	`// callback`
`37`	`37`	`callbackStatus := LogAction("Waiting for callback. Go to the browser to authenticate...")`
`38`	`38`
`39`		`- if callbackRequest, err = oauth2.WaitForCallback(clientConfig, serverConfig, addr, hc); err != nil {`
	`39`	`+ if callbackRequest, err = oauth2.WaitForCallback(clientConfig, serverConfig, hc); err != nil {`
`40`	`40`	`LogRequestln(callbackRequest)`
`41`	`41`	`return err`
`42`	`42`	`}`