Merge pull request #1563 from oauth2-proxy/fix-profile-url

Ensure claim extractor does not attempt profile call when URL is empty
2025-01-10 04:18:14 +02:00 · 2022-02-19 15:37:18 +00:00 · 2022-02-19 15:37:18 +00:00 · 1578d90d0b
commit 1578d90d0b
parent 74e2f5069c 25ef843115
4 changed files with 20 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,6 +9,7 @@
 ## Changes since v7.2.1

 - [#1561](https://github.com/oauth2-proxy/oauth2-proxy/pull/1561) Add ppc64le support (@mgiessing)
+- [#1563](https://github.com/oauth2-proxy/oauth2-proxy/pull/1563) Ensure claim extractor does not attempt profile call when URL is empty (@JoelSpeed)
 - [#1560](https://github.com/oauth2-proxy/oauth2-proxy/pull/1560) Fix provider data initialisation (@JoelSpeed)
 - [#1555](https://github.com/oauth2-proxy/oauth2-proxy/pull/1555) Refactor provider configuration into providers package (@JoelSpeed)
 - [#1394](https://github.com/oauth2-proxy/oauth2-proxy/pull/1394) Add generic claim extractor to get claims from ID Tokens (@JoelSpeed)
--- a/go.mod
+++ b/go.mod
@ -61,7 +61,6 @@ require (
 	github.com/prometheus/common v0.15.0 // indirect
 	github.com/prometheus/procfs v0.2.0 // indirect
 	github.com/spf13/afero v1.1.2 // indirect
-	github.com/spf13/cast v1.3.0 // indirect
 	github.com/spf13/jwalterweatherman v1.0.0 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
--- a/pkg/providers/util/claim_extractor.go
+++ b/pkg/providers/util/claim_extractor.go
@ -86,7 +86,7 @@ func (c *claimExtractor) GetClaim(claim string) (interface{}, bool, error) {
 // loadProfileClaims will fetch the profileURL using the provided headers as
 // authentication.
 func (c *claimExtractor) loadProfileClaims() (*simplejson.Json, error) {
-	if c.profileURL == nil || c.requestHeaders == nil {
+	if c.profileURL == nil || c.profileURL.String() == "" || c.requestHeaders == nil {
 		// When no profileURL is set, we return a non-empty map so that
 		// we don't attempt to populate the profile claims again.
 		// If there are no headers, the request would be unauthorized so we also skip
--- a/pkg/providers/util/claim_extractor_test.go
+++ b/pkg/providers/util/claim_extractor_test.go
@ -259,6 +259,24 @@ var _ = Describe("Claim Extractor Suite", func() {
 		Expect(counter).To(BeEquivalentTo(1))
 	})

+	It("GetClaim should not return an error with a non-nil empty ProfileURL", func() {
+		claims, serverClose, err := newTestClaimExtractor(testClaimExtractorOpts{
+			idTokenPayload:        "{}",
+			profileRequestHeaders: newAuthorizedHeader(),
+		})
+		Expect(err).ToNot(HaveOccurred())
+		if serverClose != nil {
+			defer serverClose()
+		}
+		// Set the ProfileURL to be empty, but not nil
+		claims.(*claimExtractor).profileURL = &url.URL{}
+
+		value, exists, err := claims.GetClaim("user")
+		Expect(err).ToNot(HaveOccurred())
+		Expect(exists).To(BeFalse())
+		Expect(value).To(BeNil())
+	})
+
 	type getClaimIntoTableInput struct {
 		testClaimExtractorOpts
 		into          interface{}