37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
|
From 0c932b61febe8a458d4bf4ff075feeffb02efc02 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Cullen Walsh <ckwalsh@cullenwalsh.com>
|
||
|
|
Date: Mon, 3 Jan 2022 17:32:33 -0800
|
||
|
|
Subject: [PATCH 1/2] Unbreak oauth2-proxy for keycloak provider after 2c668a
|
||
|
|
|
||
|
|
With 2c668a, oauth2-proxy fails a request if the token validation fails.
|
||
|
|
Token validation always fails with the keycloak provider, due to the
|
||
|
|
valudation request passing the token via the URL, and keycloak not
|
||
|
|
parsing the url for tokens.
|
||
|
|
|
||
|
|
This is fixed by forcing the validation request to pass the token via a
|
||
|
|
header.
|
||
|
|
|
||
|
|
This code taken from the DigitalOcean provider, which presumably forcing
|
||
|
|
the token to be passed via header for the same reason.
|
||
|
|
|
||
|
|
Test plan: I was unable to build a docker image to test the fix, but I
|
||
|
|
believe it is relatively simple, and it passes the "looks good to me"
|
||
|
|
test plan.
|
||
|
|
---
|
||
|
|
providers/keycloak.go | 5 +++++
|
||
|
|
1 file changed, 5 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/providers/keycloak.go b/providers/keycloak.go
|
||
|
|
index c1a873529..4a8af231a 100644
|
||
|
|
--- a/providers/keycloak.go
|
||
|
|
+++ b/providers/keycloak.go
|
||
|
|
@@ -100,3 +100,8 @@ func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.Sessio
|
||
|
|
|
||
|
|
return nil
|
||
|
|
}
|
||
|
|
+
|
||
|
|
+// ValidateSession validates the AccessToken
|
||
|
|
+func (p *KeycloakProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool {
|
||
|
|
+ return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))
|
||
|
|
+}
|