Skip to content

Commit a4dcc52

Browse files
Use AUTHGEAR_ENDPOINT as Host, AUTHGEAR_ENDPOINT_INTERNAL for connection
1. For simplicity, we no longer fetch the discovery document, but fetch the JWKs directly. 2. Improve the compatibility by using AUTHGEAR_ENDPOINT as Host, AUTHGEAR_ENDPOINT_INTERNAL for connection. 3. Remove the dependency on oauthrelyingpartyutil as this logic is uncommon in that package. Instead, the hack is done in pkg/portal/session.
1 parent 4f47a8e commit a4dcc52

File tree

4 files changed

+22
-76
lines changed

4 files changed

+22
-76
lines changed

.vettedpositions

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -317,8 +317,8 @@
317317
/pkg/lib/session/test/context.go:85:35: requestcontext
318318
/pkg/lib/workflow/intl_middleware.go:16:41: requestcontext
319319
/pkg/portal/csp_middleware.go:16:39: requestcontext
320-
/pkg/portal/session/middleware_session_info.go:54:9: requestcontext
321-
/pkg/portal/session/middleware_session_info.go:184:36: requestcontext
320+
/pkg/portal/session/middleware_session_info.go:52:9: requestcontext
321+
/pkg/portal/session/middleware_session_info.go:193:36: requestcontext
322322
/pkg/portal/session/middleware_session_required.go:12:38: requestcontext
323323
/pkg/portal/transport/admin_api_handler.go:39:9: requestcontext
324324
/pkg/portal/transport/graphql_handler.go:41:29: requestcontext

pkg/lib/oauthrelyingparty/oauthrelyingpartyutil/oidc.go

Lines changed: 0 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,6 @@ import (
77
"fmt"
88
"net/http"
99
"net/url"
10-
"strings"
1110
"time"
1211

1312
"github.com/lestrrat-go/jwx/v2/jwk"
@@ -64,25 +63,6 @@ func FetchOIDCDiscoveryDocument(ctx context.Context, client *http.Client, endpoi
6463
return &document, nil
6564
}
6665

67-
func (d *OIDCDiscoveryDocument) WithRewrittenEndpoints(original string, replacement string) *OIDCDiscoveryDocument {
68-
cloned := *d
69-
70-
if strings.Contains(cloned.AuthorizationEndpoint, original) {
71-
cloned.AuthorizationEndpoint = strings.ReplaceAll(cloned.AuthorizationEndpoint, original, replacement)
72-
}
73-
if strings.Contains(cloned.TokenEndpoint, original) {
74-
cloned.TokenEndpoint = strings.ReplaceAll(cloned.TokenEndpoint, original, replacement)
75-
}
76-
if strings.Contains(cloned.UserInfoEndpoint, original) {
77-
cloned.UserInfoEndpoint = strings.ReplaceAll(cloned.UserInfoEndpoint, original, replacement)
78-
}
79-
if strings.Contains(cloned.JWKSUri, original) {
80-
cloned.JWKSUri = strings.ReplaceAll(cloned.JWKSUri, original, replacement)
81-
}
82-
83-
return &cloned
84-
}
85-
8666
func (d *OIDCDiscoveryDocument) MakeOAuthURL(params AuthorizationURLParams) string {
8767
return MakeAuthorizationURL(d.AuthorizationEndpoint, params.Query())
8868
}

pkg/lib/oauthrelyingparty/oauthrelyingpartyutil/oidc_test.go

Lines changed: 0 additions & 43 deletions
This file was deleted.

pkg/portal/session/middleware_session_info.go

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,15 +12,13 @@ import (
1212
"github.com/patrickmn/go-cache"
1313

1414
"github.com/authgear/authgear-server/pkg/api/model"
15-
"github.com/authgear/authgear-server/pkg/lib/oauthrelyingparty/oauthrelyingpartyutil"
1615
portalconfig "github.com/authgear/authgear-server/pkg/portal/config"
1716
"github.com/authgear/authgear-server/pkg/util/clock"
1817
"github.com/authgear/authgear-server/pkg/util/duration"
1918
)
2019

2120
var simpleCache = cache.New(5*time.Minute, 10*time.Minute)
2221

23-
const cacheKeyOpenIDConfiguration = "openid-configuration"
2422
const cacheKeyJWKs = "jwks"
2523

2624
type jwtClock struct {
@@ -146,27 +144,38 @@ func (m *SessionInfoMiddleware) getJWKs(ctx context.Context) (jwk.Set, error) {
146144
return jwkIface.(jwk.Set), nil
147145
}
148146

149-
endpointStr := m.AuthgearConfig.Endpoint
147+
parsedEndpoint, err := url.Parse(m.AuthgearConfig.Endpoint)
148+
if err != nil {
149+
return nil, err
150+
}
151+
152+
// HTTP Host header includes port, so we use .Host
153+
httpHostHeader := parsedEndpoint.Host
154+
155+
connectionEndpoint := parsedEndpoint.String()
150156
if m.AuthgearConfig.EndpointInternal != "" {
151-
endpointStr = m.AuthgearConfig.EndpointInternal
157+
connectionEndpoint = m.AuthgearConfig.EndpointInternal
152158
}
153159

154-
endpoint, err := url.JoinPath(endpointStr, "/.well-known/openid-configuration")
160+
jwksURI, err := url.JoinPath(connectionEndpoint, "/oauth2/jwks")
155161
if err != nil {
156162
return nil, err
157163
}
158164

159-
oidcDiscoveryDocument, err := oauthrelyingpartyutil.FetchOIDCDiscoveryDocument(ctx, m.HTTPClient.Client, endpoint)
165+
req, err := http.NewRequestWithContext(ctx, "GET", jwksURI, nil)
160166
if err != nil {
161167
return nil, err
162168
}
163-
if m.AuthgearConfig.EndpointInternal != "" {
164-
oidcDiscoveryDocument = oidcDiscoveryDocument.WithRewrittenEndpoints(m.AuthgearConfig.Endpoint, m.AuthgearConfig.EndpointInternal)
165-
}
169+
// This is the most important line.
170+
req.Host = httpHostHeader
166171

167-
simpleCache.Set(cacheKeyOpenIDConfiguration, oidcDiscoveryDocument, 0)
172+
resp, err := m.HTTPClient.Do(req)
173+
if err != nil {
174+
return nil, err
175+
}
176+
defer resp.Body.Close()
168177

169-
jwkSet, err := oidcDiscoveryDocument.FetchJWKs(ctx, m.HTTPClient.Client)
178+
jwkSet, err := jwk.ParseReader(resp.Body)
170179
if err != nil {
171180
return nil, err
172181
}

0 commit comments

Comments
 (0)