fix: passing correct httpClient, do not use DefaultClients (#3319)
most of our deployments use custom certificates, using DefaultClient makes it virtually impossible to make share URL feature work. this PR fixes this behavior in the implementation. Bonus: re-use transports inside console, will add more changes to take custom transport inputs in subsequent PR.
This commit is contained in:
Harshavardhana
GitHub
@@ -52,9 +52,9 @@ type ProviderConfig struct {
|
||||
//
|
||||
// We only support Authentication with the Authorization Code Flow - spec:
|
||||
// https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
|
||||
func (pc ProviderConfig) GetOauth2Provider(name string, scopes []string, r *http.Request, idpClient, stsClient *http.Client) (provider *Provider, err error) {
|
||||
func (pc ProviderConfig) GetOauth2Provider(name string, scopes []string, r *http.Request, clnt *http.Client) (provider *Provider, err error) {
|
||||
var ddoc DiscoveryDoc
|
||||
ddoc, err = parseDiscoveryDoc(r.Context(), pc.URL, idpClient)
|
||||
ddoc, err = parseDiscoveryDoc(r.Context(), pc.URL, clnt)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -112,9 +112,7 @@ func (pc ProviderConfig) GetOauth2Provider(name string, scopes []string, r *http
|
||||
|
||||
client.IDPName = name
|
||||
client.UserInfo = pc.Userinfo
|
||||
|
||||
client.provHTTPClient = idpClient
|
||||
client.stsHTTPClient = stsClient
|
||||
client.client = clnt
|
||||
|
||||
return client, nil
|
||||
}
|
||||
|
||||
@@ -109,11 +109,10 @@ type Provider struct {
|
||||
// - Scopes specifies optional requested permissions.
|
||||
IDPName string
|
||||
// if enabled means that we need extrace access_token as well
|
||||
UserInfo bool
|
||||
RefreshToken string
|
||||
oauth2Config Configuration
|
||||
provHTTPClient *http.Client
|
||||
stsHTTPClient *http.Client
|
||||
UserInfo bool
|
||||
RefreshToken string
|
||||
oauth2Config Configuration
|
||||
client *http.Client
|
||||
}
|
||||
|
||||
// DefaultDerivedKey is the key used to compute the HMAC for signing the oauth state parameter
|
||||
@@ -204,7 +203,7 @@ func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.
|
||||
|
||||
client.IDPName = GetIDPClientID()
|
||||
client.UserInfo = GetIDPUserInfo()
|
||||
client.provHTTPClient = httpClient
|
||||
client.client = httpClient
|
||||
|
||||
return client, nil
|
||||
}
|
||||
@@ -212,12 +211,12 @@ func NewOauth2ProviderClient(scopes []string, r *http.Request, httpClient *http.
|
||||
var defaultScopes = []string{"openid", "profile", "email"}
|
||||
|
||||
// NewOauth2ProviderClientByName returns a provider if present specified by the input name of the provider.
|
||||
func (ois OpenIDPCfg) NewOauth2ProviderClientByName(name string, scopes []string, r *http.Request, idpClient, stsClient *http.Client) (provider *Provider, err error) {
|
||||
func (ois OpenIDPCfg) NewOauth2ProviderClientByName(name string, scopes []string, r *http.Request, clnt *http.Client) (provider *Provider, err error) {
|
||||
oi, ok := ois[name]
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("%s IDP provider does not exist", name)
|
||||
}
|
||||
return oi.GetOauth2Provider(name, scopes, r, idpClient, stsClient)
|
||||
return oi.GetOauth2Provider(name, scopes, r, clnt)
|
||||
}
|
||||
|
||||
// NewOauth2ProviderClient instantiates a new oauth2 client using the
|
||||
@@ -227,9 +226,9 @@ func (ois OpenIDPCfg) NewOauth2ProviderClientByName(name string, scopes []string
|
||||
//
|
||||
// We only support Authentication with the Authorization Code Flow - spec:
|
||||
// https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth
|
||||
func (ois OpenIDPCfg) NewOauth2ProviderClient(scopes []string, r *http.Request, idpClient, stsClient *http.Client) (provider *Provider, providerCfg ProviderConfig, err error) {
|
||||
func (ois OpenIDPCfg) NewOauth2ProviderClient(scopes []string, r *http.Request, clnt *http.Client) (provider *Provider, providerCfg ProviderConfig, err error) {
|
||||
for name, oi := range ois {
|
||||
provider, err = oi.GetOauth2Provider(name, scopes, r, idpClient, stsClient)
|
||||
provider, err = oi.GetOauth2Provider(name, scopes, r, clnt)
|
||||
if err != nil {
|
||||
// Upon error look for the next IDP.
|
||||
continue
|
||||
@@ -278,7 +277,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
|
||||
return nil, err
|
||||
}
|
||||
getWebTokenExpiry := func() (*credentials.WebIdentityToken, error) {
|
||||
customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.provHTTPClient)
|
||||
customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.client)
|
||||
oauth2Token, err := client.oauth2Config.Exchange(customCtx, code)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
@@ -328,7 +327,7 @@ func (client *Provider) VerifyIdentity(ctx context.Context, code, state, roleARN
|
||||
stsEndpoint := GetSTSEndpoint()
|
||||
|
||||
sts := credentials.New(&credentials.STSWebIdentity{
|
||||
Client: client.stsHTTPClient,
|
||||
Client: client.client,
|
||||
STSEndpoint: stsEndpoint,
|
||||
GetWebIDTokenExpiry: getWebTokenExpiry,
|
||||
RoleARN: roleARN,
|
||||
@@ -342,7 +341,7 @@ func (client *Provider) VerifyIdentityForOperator(ctx context.Context, code, sta
|
||||
if err := validateOauth2State(state, keyFunc); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.provHTTPClient)
|
||||
customCtx := context.WithValue(ctx, oauth2.HTTPClient, client.client)
|
||||
oauth2Token, err := client.oauth2Config.Exchange(customCtx, code)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
||||
Reference in New Issue
Block a user