fix(oidc): correct behavior when working with bypass rules

- Introduced a new handler for unknown paths in the OIDCProvider to prevent fallback to the default login page. - Forced OIDC middleware to treat unknown path as logic path to redirect to login property when bypass rules is declared. - Refactored OIDC path constants. - Updated checkBypass middleware to enforce path prefixes for bypass rules, ensuring proper request handling.
2026-04-23 08:48:32 +02:00 · 2025-11-13 15:13:20 +08:00
parent f6dcc8f118
commit 219eedf3c5
3 changed files with 49 additions and 7 deletions
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -31,6 +31,8 @@ type (
 		endSessionURL *url.URL
 		allowedUsers  []string
 		allowedGroups []string
+
+		onUnknownPathHandler http.HandlerFunc
 	}

 	IDTokenClaims struct {
@@ -64,8 +66,9 @@ func (auth *OIDCProvider) getAppScopedCookieName(baseName string) string {

 const (
 	OIDCAuthInitPath = "/"
-	OIDCPostAuthPath = "/auth/callback"
-	OIDCLogoutPath   = "/auth/logout"
+	OIDCAuthBasePath = "/auth"
+	OIDCPostAuthPath = OIDCAuthBasePath + "/callback"
+	OIDCLogoutPath   = OIDCAuthBasePath + "/logout"
 )

 var (
@@ -177,6 +180,10 @@ func (auth *OIDCProvider) SetScopes(scopes []string) {
 	auth.oauthConfig.Scopes = scopes
 }

+func (auth *OIDCProvider) SetOnUnknownPathHandler(handler http.HandlerFunc) {
+	auth.onUnknownPathHandler = handler
+}
+
 // optRedirectPostAuth returns an oauth2 option that sets the "redirect_uri"
 // parameter of the authorization URL to the post auth path of the current
 // request host.
@@ -213,6 +220,10 @@ func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
 	case OIDCLogoutPath:
 		auth.LogoutHandler(w, r)
 	default:
+		if auth.onUnknownPathHandler != nil {
+			auth.onUnknownPathHandler(w, r)
+			return
+		}
 		http.Redirect(w, r, OIDCAuthInitPath, http.StatusFound)
 	}
 }