fix: SAML and OIDC issuer (in proxied use cases) (#9638)

# Which Problems Are Solved When using implicit flow through the session API and a login UI on a custom domain (proxy), the tokens were signed by the API domain of the instance, rather than the public (proxy) domain. The SAML response had the same issue. Additionally, the saml library had an issue and lost the issuer context. This prevented also a successful login through the hosted login UI. # How the Problems Are Solved - The issuer of the SAML and Auth request is persisted to provide the information when signing the responses and tokens. - The SAML library is updated to the latest version. # Additional Changes None # Additional Context None
2025-08-11 21:27:42 +00:00 · 2025-03-26 18:08:13 +01:00
parent 1c0c08307f
commit 0e10ed0e0b
19 changed files with 226 additions and 162 deletions
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -111,6 +111,7 @@ func (o *OPStorage) createAuthRequestLoginClient(ctx context.Context, req *oidc.
 		Prompt:           PromptToBusiness(req.Prompt),
 		UILocales:        UILocalesToBusiness(req.UILocales),
 		MaxAge:           MaxAgeToBusiness(req.MaxAge),
+		Issuer:           o.contextToIssuer(ctx),
 	}
 	if req.LoginHint != "" {
 		authRequest.LoginHint = &req.LoginHint
--- a/internal/api/oidc/op.go
+++ b/internal/api/oidc/op.go
@@ -75,6 +75,7 @@ type OPStorage struct {
 	encAlg                            crypto.EncryptionAlgorithm
 	locker                            crdb.Locker
 	assetAPIPrefix                    func(ctx context.Context) string
+	contextToIssuer                   func(context.Context) string
 }

 // Provider is used to overload certain [op.Provider] methods
@@ -119,7 +120,7 @@ func NewServer(
 	if err != nil {
 		return nil, zerrors.ThrowInternal(err, "OIDC-EGrqd", "cannot create op config: %w")
 	}
-	storage := newStorage(config, command, query, repo, encryptionAlg, es, projections)
+	storage := newStorage(config, command, query, repo, encryptionAlg, es, projections, ContextToIssuer)
 	keyCache := newPublicKeyCache(ctx, config.PublicKeyCacheMaxAge, queryKeyFunc(query))
 	accessTokenKeySet := newOidcKeySet(keyCache, withKeyExpiryCheck(true))
 	idTokenHintKeySet := newOidcKeySet(keyCache)
@@ -182,9 +183,13 @@ func NewServer(
 	return server, nil
 }

+func ContextToIssuer(ctx context.Context) string {
+	return http_utils.DomainContext(ctx).Origin()
+}
+
 func IssuerFromContext(_ bool) (op.IssuerFromRequest, error) {
 	return func(r *http.Request) string {
-		return http_utils.DomainContext(r.Context()).Origin()
+		return ContextToIssuer(r.Context())
 	}, nil
 }

@@ -220,7 +225,7 @@ func createOPConfig(config Config, defaultLogoutRedirectURI string, cryptoKey []
 	return opConfig, nil
 }

-func newStorage(config Config, command *command.Commands, query *query.Queries, repo repository.Repository, encAlg crypto.EncryptionAlgorithm, es *eventstore.Eventstore, db *database.DB) *OPStorage {
+func newStorage(config Config, command *command.Commands, query *query.Queries, repo repository.Repository, encAlg crypto.EncryptionAlgorithm, es *eventstore.Eventstore, db *database.DB, contextToIssuer func(context.Context) string) *OPStorage {
 	return &OPStorage{
 		repo:                              repo,
 		command:                           command,
@@ -236,6 +241,7 @@ func newStorage(config Config, command *command.Commands, query *query.Queries,
 		encAlg:                            encAlg,
 		locker:                            crdb.NewLocker(db.DB, locksTable, signingKey),
 		assetAPIPrefix:                    assets.AssetAPI(),
+		contextToIssuer:                   contextToIssuer,
 	}
 }