From aca0c934616cd4f7f93d06df2fafb80e858b1b73 Mon Sep 17 00:00:00 2001 From: Michael Borkenstein Date: Tue, 20 Apr 2021 12:04:00 -0500 Subject: [PATCH] AUTH-3513: Checks header for app info in case response is a 403/401 from the edge --- token/token.go | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/token/token.go b/token/token.go index f443fd70..f8fb6c1c 100644 --- a/token/token.go +++ b/token/token.go @@ -25,6 +25,7 @@ const ( keyName = "token" tokenCookie = "CF_Authorization" appDomainHeader = "CF-Access-Domain" + appAUDHeader = "CF-Access-Aud" AccessLoginWorkerPath = "/cdn-cgi/access/login" ) @@ -270,14 +271,19 @@ func GetAppInfo(reqURL *url.URL) (*AppInfo, error) { return nil, errors.Wrap(err, "failed to get app info") } resp.Body.Close() - location := resp.Request.URL - if !strings.Contains(location.Path, AccessLoginWorkerPath) { - return nil, fmt.Errorf("failed to get Access app info for %s", reqURL.String()) - } - aud := resp.Request.URL.Query().Get("kid") - if aud == "" { - return nil, errors.New("Empty app aud") + var aud string + location := resp.Request.URL + if strings.Contains(location.Path, AccessLoginWorkerPath) { + aud = resp.Request.URL.Query().Get("kid") + if aud == "" { + return nil, errors.New("Empty app aud") + } + } else if audHeader := resp.Header.Get(appAUDHeader); audHeader != "" { + // 403/401 from the edge will have aud in a header + aud = audHeader + } else { + return nil, fmt.Errorf("failed to get Access app info for %s", reqURL.String()) } domain := resp.Header.Get(appDomainHeader) @@ -286,7 +292,6 @@ func GetAppInfo(reqURL *url.URL) (*AppInfo, error) { } return &AppInfo{location.Hostname(), aud, domain}, nil - } // exchangeOrgToken attaches an org token to a request to the appURL and returns an app token. This uses the Access SSO