Revert "packages/oauth2-proxy: patch keycloak token bug" and "modules/oauth2-proxy: use patched package"
Fix merged in version 7.3.0 upstream. This reverts commit1fb7853b52
. This reverts commite847db9dc0
.
This commit is contained in:
parent
a9e60e8101
commit
0a4dd13316
3 changed files with 1 additions and 40 deletions
|
@ -1,4 +1,4 @@
|
||||||
{ config, inputs, lib, pkgs, tools, ... }:
|
{ config, lib, pkgs, tools, ... }:
|
||||||
let
|
let
|
||||||
inherit (tools.meta) domain;
|
inherit (tools.meta) domain;
|
||||||
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
|
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
|
||||||
|
@ -17,7 +17,6 @@ in
|
||||||
|
|
||||||
services.oauth2_proxy = {
|
services.oauth2_proxy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = inputs.self.packages.${pkgs.system}.oauth2-proxy;
|
|
||||||
approvalPrompt = "auto";
|
approvalPrompt = "auto";
|
||||||
provider = "keycloak";
|
provider = "keycloak";
|
||||||
scope = "openid";
|
scope = "openid";
|
||||||
|
|
|
@ -33,8 +33,6 @@ super: rec {
|
||||||
jre = jre17_standard;
|
jre = jre17_standard;
|
||||||
};
|
};
|
||||||
|
|
||||||
oauth2-proxy = patch super.oauth2-proxy "patches/base/oauth2-proxy";
|
|
||||||
|
|
||||||
tempo = super.tempo.overrideAttrs (_: {
|
tempo = super.tempo.overrideAttrs (_: {
|
||||||
version = builtins.substring 1 (-1) pins.tempo.version;
|
version = builtins.substring 1 (-1) pins.tempo.version;
|
||||||
src = super.npins.mkSource pins.tempo;
|
src = super.npins.mkSource pins.tempo;
|
||||||
|
|
|
@ -1,36 +0,0 @@
|
||||||
From 0c932b61febe8a458d4bf4ff075feeffb02efc02 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Cullen Walsh <ckwalsh@cullenwalsh.com>
|
|
||||||
Date: Mon, 3 Jan 2022 17:32:33 -0800
|
|
||||||
Subject: [PATCH 1/2] Unbreak oauth2-proxy for keycloak provider after 2c668a
|
|
||||||
|
|
||||||
With 2c668a, oauth2-proxy fails a request if the token validation fails.
|
|
||||||
Token validation always fails with the keycloak provider, due to the
|
|
||||||
valudation request passing the token via the URL, and keycloak not
|
|
||||||
parsing the url for tokens.
|
|
||||||
|
|
||||||
This is fixed by forcing the validation request to pass the token via a
|
|
||||||
header.
|
|
||||||
|
|
||||||
This code taken from the DigitalOcean provider, which presumably forcing
|
|
||||||
the token to be passed via header for the same reason.
|
|
||||||
|
|
||||||
Test plan: I was unable to build a docker image to test the fix, but I
|
|
||||||
believe it is relatively simple, and it passes the "looks good to me"
|
|
||||||
test plan.
|
|
||||||
---
|
|
||||||
providers/keycloak.go | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/providers/keycloak.go b/providers/keycloak.go
|
|
||||||
index c1a873529..4a8af231a 100644
|
|
||||||
--- a/providers/keycloak.go
|
|
||||||
+++ b/providers/keycloak.go
|
|
||||||
@@ -100,3 +100,8 @@ func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.Sessio
|
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+// ValidateSession validates the AccessToken
|
|
||||||
+func (p *KeycloakProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool {
|
|
||||||
+ return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))
|
|
||||||
+}
|
|
Loading…
Reference in a new issue