Revert "packages/oauth2-proxy: patch keycloak token bug" and "modules/oauth2-proxy: use patched package"

Fix merged in version 7.3.0 upstream.
This reverts commit 1fb7853b52.
This reverts commit e847db9dc0.
This commit is contained in:
Max Headroom 2022-08-01 17:49:35 +02:00
parent a9e60e8101
commit 0a4dd13316
3 changed files with 1 additions and 40 deletions

View file

@ -1,4 +1,4 @@
{ config, inputs, lib, pkgs, tools, ... }: { config, lib, pkgs, tools, ... }:
let let
inherit (tools.meta) domain; inherit (tools.meta) domain;
login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}"; login = x: "https://login.${domain}/auth/realms/master/protocol/openid-connect/${x}";
@ -17,7 +17,6 @@ in
services.oauth2_proxy = { services.oauth2_proxy = {
enable = true; enable = true;
package = inputs.self.packages.${pkgs.system}.oauth2-proxy;
approvalPrompt = "auto"; approvalPrompt = "auto";
provider = "keycloak"; provider = "keycloak";
scope = "openid"; scope = "openid";

View file

@ -33,8 +33,6 @@ super: rec {
jre = jre17_standard; jre = jre17_standard;
}; };
oauth2-proxy = patch super.oauth2-proxy "patches/base/oauth2-proxy";
tempo = super.tempo.overrideAttrs (_: { tempo = super.tempo.overrideAttrs (_: {
version = builtins.substring 1 (-1) pins.tempo.version; version = builtins.substring 1 (-1) pins.tempo.version;
src = super.npins.mkSource pins.tempo; src = super.npins.mkSource pins.tempo;

View file

@ -1,36 +0,0 @@
From 0c932b61febe8a458d4bf4ff075feeffb02efc02 Mon Sep 17 00:00:00 2001
From: Cullen Walsh <ckwalsh@cullenwalsh.com>
Date: Mon, 3 Jan 2022 17:32:33 -0800
Subject: [PATCH 1/2] Unbreak oauth2-proxy for keycloak provider after 2c668a
With 2c668a, oauth2-proxy fails a request if the token validation fails.
Token validation always fails with the keycloak provider, due to the
valudation request passing the token via the URL, and keycloak not
parsing the url for tokens.
This is fixed by forcing the validation request to pass the token via a
header.
This code taken from the DigitalOcean provider, which presumably forcing
the token to be passed via header for the same reason.
Test plan: I was unable to build a docker image to test the fix, but I
believe it is relatively simple, and it passes the "looks good to me"
test plan.
---
providers/keycloak.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/providers/keycloak.go b/providers/keycloak.go
index c1a873529..4a8af231a 100644
--- a/providers/keycloak.go
+++ b/providers/keycloak.go
@@ -100,3 +100,8 @@ func (p *KeycloakProvider) EnrichSession(ctx context.Context, s *sessions.Sessio
return nil
}
+
+// ValidateSession validates the AccessToken
+func (p *KeycloakProvider) ValidateSession(ctx context.Context, s *sessions.SessionState) bool {
+ return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))
+}