authenticate: make callback path configurable (#493)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-08-02 16:30:17 +02:00 · 2020-02-08 09:06:23 -08:00 · 2020-02-08 09:06:23 -08:00 · 5716113c2a
commit 5716113c2a
parent 1901cb5ca0
6 changed files with 57 additions and 26 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -27,8 +27,6 @@ import (
 	"github.com/pomerium/pomerium/internal/urlutil"
 )

-const callbackPath = "/oauth2/callback"
-
 // ValidateOptions checks that configuration are complete and valid.
 // Returns on first error found.
 func ValidateOptions(o config.Options) error {
@ -47,6 +45,9 @@ func ValidateOptions(o config.Options) error {
 	if o.ClientSecret == "" {
 		return errors.New("authenticate: 'IDP_CLIENT_SECRET' is required")
 	}
+	if o.AuthenticateCallbackPath == "" {
+		return errors.New("authenticate: 'AUTHENTICATE_CALLBACK_PATH' is required")
+	}
 	return nil
 }

@ -149,7 +150,7 @@ func New(opts config.Options) (*Authenticate, error) {
 	headerStore := header.NewStore(encryptedEncoder, "Pomerium")

 	redirectURL, _ := urlutil.DeepCopy(opts.AuthenticateURL)
-	redirectURL.Path = callbackPath
+	redirectURL.Path = opts.AuthenticateCallbackPath
 	// configure our identity provider
 	provider, err := identity.New(
 		opts.Provider,
--- a/authenticate/authenticate_test.go
+++ b/authenticate/authenticate_test.go
@ -43,6 +43,8 @@ func TestOptions_Validate(t *testing.T) {
 	badSharedKey.SharedKey = ""
 	badAuthenticateURL := newTestOptions(t)
 	badAuthenticateURL.AuthenticateURL = nil
+	badCallbackPath := newTestOptions(t)
+	badCallbackPath.AuthenticateCallbackPath = ""

 	tests := []struct {
 		name    string
@ -60,6 +62,7 @@ func TestOptions_Validate(t *testing.T) {
 		{"no client id", emptyClientID, true},
 		{"no client secret", emptyClientSecret, true},
 		{"empty authenticate url", badAuthenticateURL, true},
+		{"empty callback path", badCallbackPath, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -31,8 +31,8 @@ func (a *Authenticate) Handler() http.Handler {
 		a.cookieSecret,
 		csrf.Secure(a.cookieOptions.Secure),
 		csrf.Path("/"),
-		csrf.UnsafePaths([]string{callbackPath}), // enforce CSRF on "safe" handler
-		csrf.FormValueName("state"),              // rfc6749 section-10.12
+		csrf.UnsafePaths([]string{a.RedirectURL.Path}), // enforce CSRF on "safe" handler
+		csrf.FormValueName("state"),                    // rfc6749 section-10.12
 		csrf.CookieName(fmt.Sprintf("%s_csrf", a.cookieOptions.Name)),
 		csrf.ErrorHandler(httputil.HandlerFunc(httputil.CSRFFailureHandler)),
 	))