go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-07-11 01:30:18 +02:00
Code Issues Releases Activity

Use ProfileURL for userinfo EnrichSession calls in Keycloak

Browse Source
This commit is contained in:
Nick Meves
2020-12-12 13:22:15 -08:00
parent 0886f8035c
commit 138a6b128a
2 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
providers/keycloak.go
View File

@ -47,6 +47,7 @@ var (
} }
) )
// NewKeycloakProvider creates a KeyCloakProvider using the passed ProviderData
func NewKeycloakProvider(p *ProviderData) *KeycloakProvider { func NewKeycloakProvider(p *ProviderData) *KeycloakProvider {
p.setProviderDefaults(providerDefaults{ p.setProviderDefaults(providerDefaults{
name: keycloakProviderName, name: keycloakProviderName,
@ -59,8 +60,16 @@ func NewKeycloakProvider(p *ProviderData) *KeycloakProvider {
return &KeycloakProvider{ProviderData: p} return &KeycloakProvider{ProviderData: p}
} }
// EnrichSession uses the Keycloak userinfo endpoint to populate the session's
// email and groups.
func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error { func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.SessionState) error {
json, err := requests.New(p.ValidateURL.String()). // Fallback to ValidateURL if ProfileURL not set for legacy compatibility
userinfoURL := p.ValidateURL.String()
if p.ProfileURL != nil {
userinfoURL = p.ProfileURL.String()
}
json, err := requests.New(userinfoURL).
WithContext(ctx). WithContext(ctx).
SetHeader("Authorization", "Bearer "+s.AccessToken). SetHeader("Authorization", "Bearer "+s.AccessToken).
Do(). Do().

8
providers/keycloak_test.go
View File

@ -131,6 +131,10 @@ var _ = Describe("Keycloak Provider Tests", func() {
Scheme: "https", Scheme: "https",
Host: "example.com", Host: "example.com",
Path: "/oauth/token"}, Path: "/oauth/token"},
ProfileURL: &url.URL{
Scheme: "https",
Host: "example.com",
Path: "/api/v3/user"},
ValidateURL: &url.URL{ ValidateURL: &url.URL{
Scheme: "https", Scheme: "https",
Host: "example.com", Host: "example.com",
@ -141,7 +145,7 @@ var _ = Describe("Keycloak Provider Tests", func() {
Expect(providerData.ProviderName).To(Equal("Keycloak")) Expect(providerData.ProviderName).To(Equal("Keycloak"))
Expect(providerData.LoginURL.String()).To(Equal("https://example.com/oauth/auth")) Expect(providerData.LoginURL.String()).To(Equal("https://example.com/oauth/auth"))
Expect(providerData.RedeemURL.String()).To(Equal("https://example.com/oauth/token")) Expect(providerData.RedeemURL.String()).To(Equal("https://example.com/oauth/token"))
Expect(providerData.ProfileURL.String()).To(Equal("")) Expect(providerData.ProfileURL.String()).To(Equal("https://example.com/api/v3/user"))
Expect(providerData.ValidateURL.String()).To(Equal("https://example.com/api/v3/user")) Expect(providerData.ValidateURL.String()).To(Equal("https://example.com/api/v3/user"))
Expect(providerData.Scope).To(Equal("profile")) Expect(providerData.Scope).To(Equal("profile"))
}) })
@ -174,7 +178,7 @@ var _ = Describe("Keycloak Provider Tests", func() {
DescribeTable("should return expected results", DescribeTable("should return expected results",
func(in enrichSessionTableInput) { func(in enrichSessionTableInput) {
var err error var err error
p.ValidateURL, err = url.Parse( p.ProfileURL, err = url.Parse(
fmt.Sprintf("%s%s?testcase=%s", b.URL, keycloakUserinfoPath, in.testcase), fmt.Sprintf("%s%s?testcase=%s", b.URL, keycloakUserinfoPath, in.testcase),
) )
Expect(err).To(BeNil()) Expect(err).To(BeNil())