Adds option to add state postfix

Author: alexander-mayr-meister

.github/workflows/ci.yaml

@@ -52,11 +52,21 @@ jobs:
 
   docker:
     runs-on: ubuntu-20.04
+    permissions:
+          contents: 'read'
+          id-token: 'write'
+    timeout-minutes: 30
     steps:
-
     - name: Check out code
       uses: actions/checkout@v3
 
+    - name: Setup Google Cloud Auth
+      uses: 'google-github-actions/auth@v2'
+      with:
+        project_id: 'meisterlabs-staging'
+        workload_identity_provider: projects/930405717829/locations/global/workloadIdentityPools/github/providers/github-actions-provider
+        service_account: 'meister-artifact-registry@meisterlabs-staging.iam.gserviceaccount.com'
+
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v2
 
@@ -66,4 +76,7 @@ jobs:
 
     - name: Docker Build
       run: |
+        export IMAGE_TAG=$(echo 'refs/heads/24-04-additional-state' | sed 's/refs\/heads\///')
+        echo $IMAGE_TAG
         make docker
+        make docker-push

Makefile

@@ -4,7 +4,7 @@ GOLANGCILINT ?= golangci-lint
 BINARY := oauth2-proxy
 VERSION ?= $(shell git describe --always --dirty --tags 2>/dev/null || echo "undefined")
 # Allow to override image registry.
-REGISTRY ?= quay.io/oauth2-proxy
+REGISTRY=europe-west1-docker.pkg.dev/meisterlabs-staging/oauth2-proxy
 .NOTPARALLEL:
 
 GO_MAJOR_VERSION = $(shell $(GO) version | cut -c 14- | cut -d' ' -f1 | cut -d'.' -f1)
@@ -61,7 +61,7 @@ docker-all: docker
 
 .PHONY: docker-push
 docker-push:
-	$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:latest -t $(REGISTRY)/oauth2-proxy:${VERSION} .
+	$(DOCKER_BUILDX_PUSH_X_PLATFORM) -t $(REGISTRY)/oauth2-proxy:${IMAGE_TAG} -t $(REGISTRY)/oauth2-proxy:${VERSION} .
 
 .PHONY: docker-push-all
 docker-push-all: docker-push

oauthproxy.go

@@ -98,6 +98,7 @@ type OAuthProxy struct {
 	forceJSONErrors     bool
 	realClientIPParser  ipapi.RealClientIPParser
 	trustedIPs          *ip.NetSet
+	statePostfix        string
 
 	sessionChain      alice.Chain
 	headersChain      alice.Chain
@@ -235,6 +236,7 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
 		upstreamProxy:      upstreamProxy,
 		redirectValidator:  redirectValidator,
 		appDirector:        appDirector,
+		statePostfix:       opts.StatePostfix,
 	}
 	p.buildServeMux(opts.ProxyPrefix)
 
@@ -787,7 +789,7 @@ func (p *OAuthProxy) doOAuthStart(rw http.ResponseWriter, req *http.Request, ove
 	callbackRedirect := p.getOAuthRedirectURI(req)
 	loginURL := p.provider.GetLoginURL(
 		callbackRedirect,
-		encodeState(csrf.HashOAuthState(), appRedirect),
+		encodeState(csrf.HashOAuthState(), appRedirect, p.statePostfix),
 		csrf.HashOIDCNonce(),
 		extraParams,
 	)
@@ -845,7 +847,8 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 
 	csrf.ClearCookie(rw, req)
 
-	nonce, appRedirect, err := decodeState(req)
+	nonce, appRedirect, _, err := decodeState(req)
+
 	if err != nil {
 		logger.Errorf("Error while parsing OAuth2 state: %v", err)
 		p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
@@ -1185,18 +1188,20 @@ func checkAllowedEmails(req *http.Request, s *sessionsapi.SessionState) bool {
 
 // encodedState builds the OAuth state param out of our nonce and
 // original application redirect
-func encodeState(nonce string, redirect string) string {
-	return fmt.Sprintf("%v:%v", nonce, redirect)
+func encodeState(nonce string, redirect string, additional string) string {
+	return fmt.Sprintf("%v:%v:%v", nonce, redirect, additional)
 }
 
 // decodeState splits the reflected OAuth state response back into
 // the nonce and original application redirect
-func decodeState(req *http.Request) (string, string, error) {
-	state := strings.SplitN(req.Form.Get("state"), ":", 2)
-	if len(state) != 2 {
-		return "", "", errors.New("invalid length")
+func decodeState(req *http.Request) (string, string, string, error) {
+	state := strings.SplitN(req.Form.Get("state"), ":", 3)
+
+	if len(state) != 3 {
+		return "", "", "", errors.New("invalid length")
 	}
-	return state[0], state[1], nil
+
+	return state[0], state[1], state[2], nil
 }
 
 // addHeadersForProxying adds the appropriate headers the request / response for proxying

oauthproxy_test.go

@@ -413,7 +413,7 @@ func (patTest *PassAccessTokenTest) getCallbackEndpoint() (httpCode int, cookie
 		http.MethodGet,
 		fmt.Sprintf(
 			"/oauth2/callback?code=callback_code&state=%s",
-			encodeState(csrf.HashOAuthState(), "%2F"),
+			encodeState(csrf.HashOAuthState(), "", "%2F"),
 		),
 		strings.NewReader(""),
 	)

pkg/apis/options/options.go

@@ -27,6 +27,7 @@ type Options struct {
 	TrustedIPs         []string `flag:"trusted-ip" cfg:"trusted_ips"`
 	ForceHTTPS         bool     `flag:"force-https" cfg:"force_https"`
 	RawRedirectURL     string   `flag:"redirect-url" cfg:"redirect_url"`
+	StatePostfix       string   `flag:"state-postfix" cfg:"state_postfix"`
 
 	AuthenticatedEmailsFile string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
 	EmailDomains            []string `flag:"email-domain" cfg:"email_domains"`
@@ -151,7 +152,7 @@ func NewFlagSet() *pflag.FlagSet {
 	flagSet.Int("redis-connection-idle-timeout", 0, "Redis connection idle timeout seconds, if Redis timeout option is non-zero, the --redis-connection-idle-timeout must be less then Redis timeout option")
 	flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")
 	flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints")
-
+	flagSet.String("state-postfix", "", "state_postifx")
 	flagSet.AddFlagSet(cookieFlagSet())
 	flagSet.AddFlagSet(loggingFlagSet())
 	flagSet.AddFlagSet(templatesFlagSet())