authenticate: fix callback handler for split mode (#4010)

authenticate: fix callback handler for split mode (#4008) fix auth handler for split mode Co-authored-by: Denis Mishin <dmishin@pomerium.com>
2025-05-03 20:36:03 +02:00 · 2023-02-23 08:31:22 -07:00 · 2023-02-23 08:31:22 -07:00 · baf36965bd
commit baf36965bd
parent 7f6797ba74
1 changed files with 26 additions and 9 deletions
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@ -74,19 +74,36 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, host string)
 			routes = append(routes, b.buildControlPlanePathRoute("/robots.txt", false))
 		}
 	}
-	// if we're handling authentication, add the oauth2 callback url
-	// as the callback url is from the IdP, it is expected only on the public authenticate URL endpoint
-	authenticateURL, err := options.GetAuthenticateURL()
+
+	authRoutes, err := b.buildPomeriumAuthenticateHTTPRoutes(options, host)
 	if err != nil {
 		return nil, err
 	}
-	if config.IsAuthenticate(options.Services) && urlMatchesHost(authenticateURL, host) {
-		routes = append(routes,
+	routes = append(routes, authRoutes...)
+	return routes, nil
+}
+
+func (b *Builder) buildPomeriumAuthenticateHTTPRoutes(options *config.Options, host string) ([]*envoy_config_route_v3.Route, error) {
+	if !config.IsAuthenticate(options.Services) {
+		return nil, nil
+	}
+
+	for _, fn := range []func() (*url.URL, error){
+		options.GetAuthenticateURL,
+		options.GetInternalAuthenticateURL,
+	} {
+		u, err := fn()
+		if err != nil {
+			return nil, err
+		}
+		if urlMatchesHost(u, host) {
+			return []*envoy_config_route_v3.Route{
 				b.buildControlPlanePathRoute(options.AuthenticateCallbackPath, false),
 				b.buildControlPlanePathRoute("/", false),
-		)
+			}, nil
 		}
-	return routes, nil
+	}
+	return nil, nil
 }

 func (b *Builder) buildControlPlanePathRoute(path string, protected bool) *envoy_config_route_v3.Route {