authenticate: fix internal service URL dashboard redirect (#3305)

authenticate/handlers.go

@@ -507,6 +507,7 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
 	ctx, span := trace.StartSpan(r.Context(), "authenticate.userInfo")
 	defer span.End()
 	r = r.WithContext(ctx)
+	r = a.getExternalRequest(r)
 
 	// if we came in with a redirect URI, save it to a cookie so it doesn't expire with the HMAC
 	if redirectURI := r.FormValue(urlutil.QueryRedirectURI); redirectURI != "" {

authenticate/handlers_test.go

@@ -640,6 +640,25 @@ func TestJwksEndpoint(t *testing.T) {
 func TestAuthenticate_userInfo(t *testing.T) {
 	t.Parallel()
 
+	t.Run("cookie-redirect-uri", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest("GET", "https://authenticate.service.cluster.local/.pomerium/?pomerium_redirect_uri=https://www.example.com", nil)
+		var a Authenticate
+		a.state = newAtomicAuthenticateState(&authenticateState{
+			cookieSecret: cryptutil.NewKey(),
+		})
+		a.options = config.NewAtomicOptions()
+		a.options.Store(&config.Options{
+			SharedKey:                     cryptutil.NewBase64Key(),
+			AuthenticateURLString:         "https://authenticate.example.com",
+			AuthenticateInternalURLString: "https://authenticate.service.cluster.local",
+		})
+		err := a.userInfo(w, r)
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusFound, w.Code)
+		assert.Equal(t, "https://authenticate.example.com/.pomerium/", w.Header().Get("Location"))
+	})
+
 	now := time.Now()
 	tests := []struct {
 		name         string