From ce53663a8853cc00d0da8c56ade77bfb522e335e Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 28 Jan 2024 12:41:35 +0100 Subject: [PATCH] fix(openid): use the calculated redirect url when authenticating with openid providers --- config.yml.sample | 9 +++------ pkg/config/config.go | 11 +++-------- pkg/modules/auth/openid/openid.go | 7 +++++-- pkg/modules/auth/openid/providers.go | 1 - pkg/routes/api/v1/info.go | 8 +++----- 5 files changed, 14 insertions(+), 22 deletions(-) diff --git a/config.yml.sample b/config.yml.sample index 578f349e8..e155e5da2 100644 --- a/config.yml.sample +++ b/config.yml.sample @@ -292,17 +292,14 @@ auth: # **Note:** Some openid providers (like gitlab) only make the email of the user available through openid claims if they have set it to be publicly visible. # If the email is not public in those cases, authenticating will fail. # **Note 2:** The frontend expects to be redirected after authentication by the third party - # to /auth/openid/. Please make sure to configure the redirect url with your third party + # to /auth/openid/. Please make sure to configure the redirect url in your third party # auth service accordingly if you're using the default vikunja frontend. + # The frontend will automatically provide the api with the redirect url, composed from the current url where it's hosted. + # If you want to use the desktop client with openid, make sure to allow redirects to `127.0.0.1`. # Take a look at the [default config file](https://kolaente.dev/vikunja/api/src/branch/main/config.yml.sample) for more information about how to configure openid authentication. openid: # Enable or disable OpenID Connect authentication enabled: false - # The url to redirect clients to. Defaults to the configured frontend url. If you're using Vikunja with the official - # frontend, you don't need to change this value. - # **Note:** The redirect url must exactly match the configured redirect url with the third party provider. - # This includes all slashes at the end or protocols. - redirecturl: # A list of enabled providers providers: # The name of the provider as it will appear in the frontend. diff --git a/pkg/config/config.go b/pkg/config/config.go index 467e43864..f345869a6 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -65,10 +65,9 @@ const ( ServiceEnableUserDeletion Key = `service.enableuserdeletion` ServiceMaxAvatarSize Key = `service.maxavatarsize` - AuthLocalEnabled Key = `auth.local.enabled` - AuthOpenIDEnabled Key = `auth.openid.enabled` - AuthOpenIDRedirectURL Key = `auth.openid.redirecturl` - AuthOpenIDProviders Key = `auth.openid.providers` + AuthLocalEnabled Key = `auth.local.enabled` + AuthOpenIDEnabled Key = `auth.openid.enabled` + AuthOpenIDProviders Key = `auth.openid.providers` LegalImprintURL Key = `legal.imprinturl` LegalPrivacyURL Key = `legal.privacyurl` @@ -451,10 +450,6 @@ func InitConfig() { ServiceFrontendurl.Set(ServiceFrontendurl.GetString() + "/") } - if AuthOpenIDRedirectURL.GetString() == "" { - AuthOpenIDRedirectURL.Set(ServiceFrontendurl.GetString() + "auth/openid/") - } - if MigrationTodoistRedirectURL.GetString() == "" { MigrationTodoistRedirectURL.Set(ServiceFrontendurl.GetString() + "migrate/todoist") } diff --git a/pkg/modules/auth/openid/openid.go b/pkg/modules/auth/openid/openid.go index c7facabbd..91e077c5d 100644 --- a/pkg/modules/auth/openid/openid.go +++ b/pkg/modules/auth/openid/openid.go @@ -40,8 +40,9 @@ import ( // Callback contains the callback after an auth request was made and redirected type Callback struct { - Code string `query:"code" json:"code"` - Scope string `query:"scop" json:"scope"` + Code string `query:"code" json:"code"` + Scope string `query:"scop" json:"scope"` + RedirectUrl string `json:"redirect_url"` } // Provider is the structure of an OpenID Connect provider @@ -103,6 +104,8 @@ func HandleCallback(c echo.Context) error { return c.JSON(http.StatusBadRequest, models.Message{Message: "Provider does not exist"}) } + provider.Oauth2Config.RedirectURL = cb.RedirectUrl + // Parse the access & ID token oauth2Token, err := provider.Oauth2Config.Exchange(context.Background(), cb.Code) if err != nil { diff --git a/pkg/modules/auth/openid/providers.go b/pkg/modules/auth/openid/providers.go index 2c876ec91..8791491f5 100644 --- a/pkg/modules/auth/openid/providers.go +++ b/pkg/modules/auth/openid/providers.go @@ -149,7 +149,6 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro provider.Oauth2Config = &oauth2.Config{ ClientID: provider.ClientID, ClientSecret: provider.ClientSecret, - RedirectURL: config.AuthOpenIDRedirectURL.GetString() + k, // Discovery returns the OAuth2 endpoints. Endpoint: provider.openIDProvider.Endpoint(), diff --git a/pkg/routes/api/v1/info.go b/pkg/routes/api/v1/info.go index 0b1cf2437..5b632b245 100644 --- a/pkg/routes/api/v1/info.go +++ b/pkg/routes/api/v1/info.go @@ -63,9 +63,8 @@ type localAuthInfo struct { } type openIDAuthInfo struct { - Enabled bool `json:"enabled"` - RedirectURL string `json:"redirect_url"` - Providers []*openid.Provider `json:"providers"` + Enabled bool `json:"enabled"` + Providers []*openid.Provider `json:"providers"` } type legalInfo struct { @@ -109,8 +108,7 @@ func Info(c echo.Context) error { Enabled: config.AuthLocalEnabled.GetBool(), }, OpenIDConnect: openIDAuthInfo{ - Enabled: config.AuthOpenIDEnabled.GetBool(), - RedirectURL: config.AuthOpenIDRedirectURL.GetString(), + Enabled: config.AuthOpenIDEnabled.GetBool(), }, }, }