Rework in order to work with Traefik

main.go

@@ -54,12 +54,11 @@ func main() {
 	}
 
 	// http handler
-	mux := http.ServeMux{}
-	mux.HandleFunc("/", httphandler.RootHandler(fw, options))
-	mux.HandleFunc(fmt.Sprintf("/%s", options.RedirectURL), httphandler.CallbackHandler(fw, options))
+	httpHandler := httphandler.Create(fw, options)
+	http.HandleFunc("/", httpHandler.Entrypoint())
 
 	logrus.Infof("Listening on %d", options.Port)
-	logrus.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", options.Port), &mux))
+	logrus.Fatal(http.ListenAndServe(fmt.Sprintf(":%d", options.Port), nil))
 }
 
 func checkOptions(options *options.Options) error {

pkg/forwardauth/auth.go

@@ -1,10 +1,10 @@
 package forwardauth
 
 import (
+	"context"
 	"encoding/json"
 	"errors"
 	"net/http"
-	"strings"
 
 	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
 	"github.com/sirupsen/logrus"
@@ -16,17 +16,17 @@ type AuthenticatationResult struct {
 	IDTokenClaims *json.RawMessage
 }
 
-func (fw *ForwardAuth) HandleAuthentication(logger *logrus.Entry, r *http.Request, state string) (*AuthenticatationResult, error) {
+func (fw *ForwardAuth) HandleAuthentication(ctx context.Context, logger *logrus.Entry, state string, code string) (*AuthenticatationResult, error) {
 	var result AuthenticatationResult
 	logger = logger.WithField("FunctionSource", "HandleAuthentication")
 
-	oauth2Token, err := fw.OAuth2Config.Exchange(r.Context(), r.URL.Query().Get("code"))
+	oauth2Token, err := fw.OAuth2Config.Exchange(ctx, code)
 	if err != nil {
 		logger.Error(err.Error())
 		return &result, err
 	}
 
-	result, err = fw.VerifyToken(r.Context(), oauth2Token)
+	result, err = fw.VerifyToken(ctx, oauth2Token)
 	if err != nil {
 		logger.Error(err.Error())
 		return &result, err
@@ -36,7 +36,7 @@ func (fw *ForwardAuth) HandleAuthentication(logger *logrus.Entry, r *http.Reques
 	return &result, nil
 }
 
-func (fw *ForwardAuth) IsAuthenticated(logger *logrus.Entry, w http.ResponseWriter, r *http.Request, options *options.Options) (*Claims, error) {
+func (fw *ForwardAuth) IsAuthenticated(context context.Context, logger *logrus.Entry, w http.ResponseWriter, r *http.Request, options *options.Options) (*Claims, error) {
 	var claims Claims
 	logger = logger.WithField("FunctionSource", "IsAuthenticated")
 
@@ -48,7 +48,7 @@ func (fw *ForwardAuth) IsAuthenticated(logger *logrus.Entry, w http.ResponseWrit
 	}
 
 	// check if the token is valid
-	idToken, err := fw.OidcVefifier.Verify(r.Context(), cookie.Value)
+	idToken, err := fw.OidcVefifier.Verify(context, cookie.Value)
 
 	switch {
 	case err == nil: // Token is valid
@@ -62,33 +62,36 @@ func (fw *ForwardAuth) IsAuthenticated(logger *logrus.Entry, w http.ResponseWrit
 
 		return &claims, nil
 
-	case strings.Contains(err.Error(), "expired"): // Token is expired
-		logger.Info("Received expired token, trying to refesh it.")
-
-		refreshCookie, err := fw.GetRefreshAuthCookie(r)
-		if err != nil {
-			logger.Error(err.Error())
-			return &claims, err
-		}
-
-		result, err := fw.RefreshToken(r.Context(), refreshCookie.Value)
-		if err != nil {
-			logger.Error(err.Error())
-			return &claims, err
-		}
-
-		http.SetCookie(w, fw.MakeAuthCookie(r, options, result))
-		if len(result.RefreshToken) > 0 { // Do we have an refresh token?
-			http.SetCookie(w, fw.MakeRefreshAuthCookie(r, options, result))
-		}
-
-		err = json.Unmarshal(*result.IDTokenClaims, &claims)
-		if err != nil {
-			logger.Error(err.Error())
-			return &claims, err
-		}
-
-		return &claims, nil
+		// Todo: Updating the cookies does sadly not work here
+		/*
+			case strings.Contains(err.Error(), "expired"): // Token is expired
+				logger.Info("Received expired token, trying to refesh it.")
+
+				refreshCookie, err := fw.GetRefreshAuthCookie(r)
+				if err != nil {
+					logger.Error(err.Error())
+					return &claims, err
+				}
+
+				result, err := fw.RefreshToken(context, refreshCookie.Value)
+				if err != nil {
+					logger.Error(err.Error())
+					return &claims, err
+				}
+
+				http.SetCookie(w, fw.MakeAuthCookie(options, result))
+				if len(result.RefreshToken) > 0 { // Do we have an refresh token?
+					http.SetCookie(w, fw.MakeRefreshAuthCookie(options, result))
+				}
+
+				err = json.Unmarshal(*result.IDTokenClaims, &claims)
+				if err != nil {
+					logger.Error(err.Error())
+					return &claims, err
+				}
+
+				return &claims, nil
+		*/
 
 	case err != nil: // Other error
 		logger.Error(err.Error())

pkg/forwardauth/cookies.go

@@ -23,7 +23,7 @@ func getBaseCookie(options *options.Options) *http.Cookie {
 func (fw *ForwardAuth) MakeCSRFCookie(w http.ResponseWriter, r *http.Request, options *options.Options, state string) *http.Cookie {
 	cookie := getBaseCookie(options)
 	cookie.Name = "__auth_csrf"
-	cookie.Value = fmt.Sprintf("%s|%s", "//google.de", state)
+	cookie.Value = fmt.Sprintf("%s|%s", fw.GetReturnUri(r), state)
 	cookie.Expires = time.Now().Local().Add(time.Hour)
 
 	return cookie
@@ -60,7 +60,7 @@ func (fw *ForwardAuth) ClearCSRFCookie(options *options.Options) *http.Cookie {
 	return cookie
 }
 
-func (fw *ForwardAuth) MakeAuthCookie(r *http.Request, options *options.Options, authResult *AuthenticatationResult) *http.Cookie {
+func (fw *ForwardAuth) MakeAuthCookie(options *options.Options, authResult *AuthenticatationResult) *http.Cookie {
 	cookie := getBaseCookie(options)
 	cookie.Name = "__auth"
 	cookie.Value = authResult.IDToken
@@ -81,7 +81,7 @@ func (fw *ForwardAuth) ClearAuthCookie(options *options.Options) *http.Cookie {
 	return cookie
 }
 
-func (fw *ForwardAuth) MakeRefreshAuthCookie(r *http.Request, options *options.Options, authResult *AuthenticatationResult) *http.Cookie {
+func (fw *ForwardAuth) MakeRefreshAuthCookie(options *options.Options, authResult *AuthenticatationResult) *http.Cookie {
 	cookie := getBaseCookie(options)
 	cookie.Name = "__auth_refresh"
 	cookie.Value = authResult.RefreshToken

pkg/forwardauth/forwardauth.go

@@ -47,7 +47,7 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
 		OAuth2Config: oauth2.Config{
 			ClientID:     options.ClientID,
 			ClientSecret: options.ClientSecret,
-			RedirectURL:  fmt.Sprintf("http://%s:%d/%s", options.AuthDomain, options.Port, options.RedirectURL),
+			RedirectURL:  fmt.Sprintf("https://%s%s", options.AuthDomain, options.RedirectURL),
 
 			// Discovery returns the OAuth2 endpoints.
 			Endpoint: provider.Endpoint(),

pkg/httphandler/callback.go

@@ -2,47 +2,44 @@ package httphandler
 
 import (
 	"net/http"
+	"net/url"
 
-	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/forwardauth"
-	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
 	"github.com/sirupsen/logrus"
 )
 
 // CallbackHandler returns a handler function which handles the callback from oidc provider
-func CallbackHandler(fw *forwardauth.ForwardAuth, options *options.Options) func(http.ResponseWriter, *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		logger := logrus.WithFields(logrus.Fields{
-			"SourceIP": r.Header.Get("X-Forwarded-For"),
-			"Path":     r.URL.Path,
-		})
-
-		// check for the csrf cookie
-		state, _, err := fw.ValidateCSRFCookie(r)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusUnauthorized)
-			return
-		}
-
-		// verify the state
-		if r.URL.Query().Get("state") != state {
-			http.Error(w, "state did not match", http.StatusBadRequest)
-			return
-		}
-
-		// handle the authentication
-		authResult, err := fw.HandleAuthentication(logger, r, state)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
-		}
-
-		// clear the csrf cookie
-		http.SetCookie(w, fw.ClearCSRFCookie(options))
-
-		http.SetCookie(w, fw.MakeAuthCookie(r, options, authResult))
-		if len(authResult.RefreshToken) > 0 { // Do we have an refresh token?
-			http.SetCookie(w, fw.MakeRefreshAuthCookie(r, options, authResult))
-		}
-		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+func (root *HttpHandler) callbackHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) {
+	logger := logrus.WithFields(logrus.Fields{
+		"SourceIP": r.Header.Get("X-Forwarded-For"),
+		"Path":     forwardedURI.Path,
+	})
+
+	// check for the csrf cookie
+	state, redirect, err := root.forwardAuth.ValidateCSRFCookie(r)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return
 	}
+
+	// verify the state
+	if forwardedURI.Query().Get("state") != state {
+		http.Error(w, "state did not match", http.StatusBadRequest)
+		return
+	}
+
+	// handle the authentication
+	authResult, err := root.forwardAuth.HandleAuthentication(r.Context(), logger, state, forwardedURI.Query().Get("code"))
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// clear the csrf cookie
+	http.SetCookie(w, root.forwardAuth.ClearCSRFCookie(root.options))
+
+	http.SetCookie(w, root.forwardAuth.MakeAuthCookie(root.options, authResult))
+	if len(authResult.RefreshToken) > 0 { // Do we have an refresh token?
+		http.SetCookie(w, root.forwardAuth.MakeRefreshAuthCookie(root.options, authResult))
+	}
+	http.Redirect(w, r, redirect, http.StatusTemporaryRedirect)
 }

pkg/httphandler/handler.go

@@ -0,0 +1,40 @@
+package httphandler
+
+import (
+	"net/http"
+	"net/url"
+
+	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/forwardauth"
+	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
+)
+
+type HttpHandler struct {
+	forwardAuth *forwardauth.ForwardAuth
+	options     *options.Options
+}
+
+func Create(fw *forwardauth.ForwardAuth, options *options.Options) *HttpHandler {
+	return &HttpHandler{
+		forwardAuth: fw,
+		options:     options,
+	}
+}
+
+func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
+	return func(w http.ResponseWriter, r *http.Request) {
+		uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
+		switch {
+		case err != nil:
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+
+		case uri.Path == h.options.RedirectURL:
+			h.callbackHandler(w, r, uri)
+			return
+
+		case uri.Path == "/":
+			h.rootHandler(w, r, uri)
+			return
+		}
+	}
+}

pkg/httphandler/root.go

@@ -2,37 +2,34 @@ package httphandler
 
 import (
 	"net/http"
+	"net/url"
 
-	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/forwardauth"
-	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
 )
 
 // RootHandler returns a handler function which handles all requests to the root
-func RootHandler(fw *forwardauth.ForwardAuth, options *options.Options) func(http.ResponseWriter, *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		logger := logrus.WithFields(logrus.Fields{
-			"SourceIP": r.Header.Get("X-Forwarded-For"),
-			"Path":     r.URL.Path,
-		})
+func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) {
+	logger := logrus.WithFields(logrus.Fields{
+		"SourceIP": r.Header.Get("X-Forwarded-For"),
+		"Path":     forwardedURI.Path,
+	})
 
-		claims, err := fw.IsAuthenticated(logger, w, r, options)
-		if err != nil {
-			logger = logger.WithField("FunctionSource", "RootHandler")
-			logger.Warn("IsAuthenticated failed, initating login flow.")
+	claims, err := root.forwardAuth.IsAuthenticated(r.Context(), logger, w, r, root.options)
+	if err != nil {
+		logger = logger.WithField("FunctionSource", "RootHandler")
+		logger.Warn("IsAuthenticated failed, initating login flow.")
 
-			http.SetCookie(w, fw.ClearAuthCookie(options))
-			http.SetCookie(w, fw.ClearRefreshAuthCookie(options))
+		http.SetCookie(w, root.forwardAuth.ClearAuthCookie(root.options))
+		http.SetCookie(w, root.forwardAuth.ClearRefreshAuthCookie(root.options))
 
-			state := uuid.New().String()
-			http.SetCookie(w, fw.MakeCSRFCookie(w, r, options, state))
-			http.Redirect(w, r, fw.OAuth2Config.AuthCodeURL(state), http.StatusFound)
-			return
-		}
-
-		w.Header().Set("X-Forwarded-User", claims.EMail)
-		w.WriteHeader(200)
-		w.Write([]byte(claims.Expiration.Time().Local().String()))
+		state := uuid.New().String()
+		http.SetCookie(w, root.forwardAuth.MakeCSRFCookie(w, r, root.options, state))
+		http.Redirect(w, r, root.forwardAuth.OAuth2Config.AuthCodeURL(state), http.StatusTemporaryRedirect)
+		return
 	}
+
+	w.Header().Set("X-Forwarded-User", claims.EMail)
+	w.WriteHeader(200)
+	w.Write([]byte(claims.Expiration.Time().Local().String()))
 }