search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
7.96k stars 619 forks source link

URL clash with certain application names and OAuth2/OpenID providers #7419

Open sdimovv opened 8 months ago

sdimovv commented 8 months ago

Describe the bug The discovery endpoint returns the following URLs:

"issuer": "https://example.com/application/o/<APP-SLUG>/",
"authorization_endpoint": "https://example.com/application/o/authorize/",
"token_endpoint": "https://example.com/application/o/token/",
"userinfo_endpoint": "https://example.com/application/o/userinfo/",
"end_session_endpoint": "https://example.com/application/o/<APP-SLUG>/end-session/",
"introspection_endpoint": "https://example.com/application/o/introspect/",
"revocation_endpoint": "https://example.com/application/o/revoke/",
"device_authorization_endpoint": "https://example.com/application/o/device/", 
"jwks_uri": "https://example.com/application/o/<APP-SLUG>/jwks/",

However, if an app happens to have a slug of "authorize" or "token" (etc) it will result in invalid discovery endpoints being returned. For example, if an app has a slug of "authorize", the discovery endpoint returns:

"issuer": "https://example.com/application/o/authorize/", # Same URL
"authorization_endpoint": "https://example.com/application/o/authorize/", # Same URL
"token_endpoint": "https://example.com/application/o/token/",
"userinfo_endpoint": "https://example.com/application/o/userinfo/",
"end_session_endpoint": "https://example.com/application/o/authorize/end-session/",
"introspection_endpoint": "https://example.com/application/o/introspect/",
"revocation_endpoint": "https://example.com/application/o/revoke/",
"device_authorization_endpoint": "https://example.com/application/o/device/",
"jwks_uri": "https://example.com/application/o/authorize/jwks/",

This is not warned about in the docs (to my knowledge), nor it is validated in authentik in any way

To Reproduce Steps to reproduce the behavior:

  1. Create a OAuth2/OpenID provider
  2. Create an app and set a slug of "authorize", "token", etc
  3. Query discovery endpoint https://example.com/application/o/<app-slug>/.well-known/openid-configuration
  4. See URLs

Expected behavior Put the endpoint "verb" as prefix and move the app slug last for all endpoints:

https://example.com/application/o/authorize/
https://example.com/application/o/end-session/<app-slug>/
https://example.com/application/o/issuer/<app-slug>/
https://example.com/application/o/token/
https://example.com/application/o/userinfo/
https://example.com/application/o/introspect/
https://example.com/application/o/revoke/
https://example.com/application/o/device/
https://example.com/application/o/jwks/<app-slug>/

Also discovery endpoint becomes:

https://example.com/application/o/discovery/<app-slug>/.well-known/openid-configuration

Screenshots If applicable, add screenshots to help explain your problem.

Logs Output of docker-compose logs or kubectl logs respectively

Version and Deployment (please complete the following information):

Additional context Add any other context about the problem here.

authentik-automation[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.