New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
providers/proxy: rework redirect mechanism #8594
Conversation
✅ Deploy Preview for authentik-storybook canceled.
|
c010c2e
to
ddaa975
Compare
authentik PR Installation instructions Instructions for docker-composeAdd the following block to your AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s For arm64, use these values: AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a-arm64
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s Afterwards, run the upgrade commands from the latest release notes. Instructions for KubernetesAdd the following block to your authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a For arm64, use these values: authentik:
outposts:
container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
image:
repository: ghcr.io/goauthentik/dev-server
tag: gh-ghcr.io/goauthentik/dev-server:gh-ba1c6e34ae5ff93bf45adea50c4e1dfdfb74e75a-arm64 Afterwards, run the upgrade commands from the latest release notes. |
✅ Deploy Preview for authentik-docs canceled.
|
a5fad3d
to
6e19669
Compare
Will this patch be included in the next release? @BeryJu |
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
44f437e
to
d6af62a
Compare
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #8594 +/- ##
==========================================
- Coverage 92.45% 92.43% -0.03%
==========================================
Files 669 669
Lines 32695 32695
==========================================
- Hits 30228 30220 -8
- Misses 2467 2475 +8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
as there hasn't been enough testing with this for all the possible setup options (we've tested it with proxy (single) and forward auth with nginx and envoy), we won't be including this in the next 2024.4 bugfix release. However in this case it should be possible to use the beta outpost image with the 2024.4 release to test this change. |
Details
closes #6886
closes #5603
instead of relying on
?rd=
being set and carried forward (which doesn't happen due to OAuth redirect URLs) and usingoauth_redirect
in the session (which can be overwritten by parallel requests and mainly leads to #6886)this PR changes the logic to encode the redirect URL (after being validated) into the
state
param (turning thestate
param into a signed JWT which also contains the random secret), and then using the same state when returning to redirect the user in the end.Checklist
ak test authentik/
)make lint-fix
)If an API change has been made
make gen-build
)If changes to the frontend have been made
make web
)If applicable
make website
)