Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

External redirect urls #461

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ func main() {
upstreams := StringArray{}
skipAuthRegex := StringArray{}
googleGroups := StringArray{}
redirectDomains := StringArray{}

config := flagSet.String("config", "", "path to config file")
showVersion := flagSet.Bool("version", false, "print version string")
Expand All @@ -30,6 +31,7 @@ func main() {
flagSet.String("tls-cert", "", "path to certificate file")
flagSet.String("tls-key", "", "path to private key file")
flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
flagSet.Var(&redirectDomains, "redirect-domain", "Allow redirects on successful login to this domain (may be given multiple times)")
flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
Expand Down
25 changes: 21 additions & 4 deletions oauthproxy.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ type OAuthProxy struct {
compiledRegex []*regexp.Regexp
templates *template.Template
Footer string
RedirectDomains []string
}

type UpstreamProxy struct {
Expand Down Expand Up @@ -210,6 +211,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
CookieCipher: cipher,
templates: loadTemplates(opts.CustomTemplatesDir),
Footer: opts.Footer,
RedirectDomains: opts.RedirectDomains,
}
}

Expand Down Expand Up @@ -367,6 +369,8 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
redirect_url := req.URL.RequestURI()
if req.Header.Get("X-Auth-Request-Redirect") != "" {
redirect_url = req.Header.Get("X-Auth-Request-Redirect")
} else if req.URL.Query().Get("rd") != "" {
redirect_url = req.URL.Query().Get("rd")
}
if redirect_url == p.SignInPath {
redirect_url = "/"
Expand Down Expand Up @@ -416,9 +420,6 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
}

redirect = req.Form.Get("rd")
if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
redirect = "/"
}

return
}
Expand Down Expand Up @@ -511,6 +512,20 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
http.Redirect(rw, req, p.provider.GetLoginURL(redirectURI, fmt.Sprintf("%v:%v", nonce, redirect)), 302)
}

func (p *OAuthProxy) isValidRedirectDomain(domain string) bool {
if domain == "" {
// No domain - an absolute URL - always permitted.
return true
}

for _, validDomain := range p.RedirectDomains {
if validDomain == "*" || domain == validDomain {
return true
}
}
return false
}

func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
remoteAddr := getRemoteAddr(req)

Expand Down Expand Up @@ -552,7 +567,9 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
return
}

if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
u, err := url.Parse(redirect)
if err != nil || !strings.HasPrefix(u.Path, "/") || !p.isValidRedirectDomain(u.Host) {
log.Printf("redirect URL '%s' not permitted - redirecting to /", redirect)
redirect = "/"
}

Expand Down
1 change: 1 addition & 0 deletions options.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ type Options struct {
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
Footer string `flag:"footer" cfg:"footer"`
RedirectDomains []string `flag:"redirect-domain" cfg:"redirect_domains"`

CookieName string `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"`
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
Expand Down