Add post login redirect path option (#345)

gogatekeeper · Sep 26, 2023 · 6bfbbd2 · 6bfbbd2
1 parent bd1df76
commit 6bfbbd2
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/pkg/apperrors/apperrors.go b/pkg/apperrors/apperrors.go
@@ -33,4 +33,5 @@ var (
 	ErrPKCEWithCodeOnly                = errors.New("pkce can be enabled only with no-redirect=false")
 	ErrPKCECodeCreation                = errors.New("creation of code verifier failed")
 	ErrPKCECookieEmpty                 = errors.New("seems that pkce code verifier cookie value is empty string")
+	ErrInvalidPostLoginRedirectPath    = errors.New("post login redirect path invalid, should be only path not absolute url (no hostname, scheme)")
 )
diff --git a/pkg/keycloak/config/config.go b/pkg/keycloak/config/config.go
@@ -60,6 +60,9 @@ type Config struct {
 	RedirectionURL string `env:"REDIRECTION_URL" json:"redirection-url" usage:"redirection url for the oauth callback url, defaults to host header if absent" yaml:"redirection-url"`
 	// PostLogoutRedirectUri the url to which is redirected after logout
 	PostLogoutRedirectURI string `env:"POST_LOGOUT_REDIRECT_URI" json:"post-logout-redirect-uri" usage:"url to which client is redirected after successful logout" yaml:"post-logout-redirect-uri"`
+	// PostLoginRedirectPath path to which is redirected after login
+	PostLoginRedirectPath string `env:"POST_LOGIN_REDIRECT_PATH" json:"post-login-redirect-path" usage:"path to which client is redirected after successful login" yaml:"post-login-redirect-path"`
+
 	// RevocationEndpoint is the token revocation endpoint to revoke refresh tokens
 	RevocationEndpoint string `env:"REVOCATION_URL" json:"revocation-url" usage:"url for the revocation endpoint to revoke refresh token" yaml:"revocation-url"`
 	// SkipOpenIDProviderTLSVerify skips the tls verification for openid provider communication
@@ -679,6 +682,7 @@ func (r *Config) isReverseProxySettingsValid() error {
 			r.isResourceValid,
 			r.isMatchClaimValid,
 			r.isPKCEValid,
+			r.isPostLoginRedirectValid,
 		}
 
 		for _, validationFunc := range validationRegistry {
@@ -994,3 +998,16 @@ func (r *Config) isPKCEValid() error {
 	}
 	return nil
 }
+
+func (r *Config) isPostLoginRedirectValid() error {
+	if r.PostLoginRedirectPath != "" {
+		parsedURI, err := url.ParseRequestURI(r.PostLoginRedirectPath)
+		if err != nil {
+			return err
+		}
+		if parsedURI.Host != "" || parsedURI.Scheme != "" {
+			return apperrors.ErrInvalidPostLoginRedirectPath
+		}
+	}
+	return nil
+}
diff --git a/pkg/keycloak/proxy/handlers.go b/pkg/keycloak/proxy/handlers.go
@@ -248,6 +248,10 @@ func (r *OauthProxy) oauthCallbackHandler(writer http.ResponseWriter, req *http.
 		}
 	}
 
+	if r.Config.PostLoginRedirectPath != "" && redirectURI == "/" {
+		redirectURI = r.Config.PostLoginRedirectPath
+	}
+
 	var umaToken string
 	var umaError error
 	if r.Config.EnableUma {