spiffe · kfox1111 · Dec 8, 2024 · Dec 8, 2024 · Dec 15, 2024 · Dec 15, 2024
@@ -81,6 +81,15 @@ type Config struct {
 
 	// JWTIssuer specifies the issuer for the OIDC provider configuration request.
 	JWTIssuer string `hcl:"jwt_issuer"`
+
+	// JWKSURI specifies the absolute uri to the jwks keys document. Use this if you are fronting the
+	// discovery provider with a load balancer or reverse proxy
+	JWKSURI string `hcl:"jwks_uri"`
+
+	// ServerPathPrefix specifies the prefix to strip from the path of requests to route to the server.
+	// Example: if ServerPathPrefix is /foo then a request to http://127.0.0.1/foo/.well-known/openid-configuration and
+	// http://127.0.0.1/foo/keys will function with the server.
+	ServerPathPrefix string `hcl:"server_path_prefix"`
 }
 
 type ServingCertFileConfig struct {
@@ -308,6 +317,12 @@ func ParseConfig(hclConfig string) (_ *Config, err error) {
 			return nil, errors.New("the jwt_issuer url must contain a host")
 		}
 	}
+	if c.JWKSURI != "" {
+		jwksURI, err := url.Parse(c.JWKSURI)
+		if err != nil || jwksURI.Scheme == "" || jwksURI.Host == "" {
+			return nil, errors.New("the jwks_uri setting could not be parsed")
+		}
+	}
 	return c, nil
 }
 

@@ -25,23 +25,39 @@ type Handler struct {
 	setKeyUse           bool
 	log                 logrus.FieldLogger
 	jwtIssuer           string
+	jwksURI             string
+	serverPathPrefix    string
 
 	http.Handler
 }
 
-func NewHandler(log logrus.FieldLogger, domainPolicy DomainPolicy, source JWKSSource, allowInsecureScheme bool, setKeyUse bool, jwtIssuer string) *Handler {
+func NewHandler(log logrus.FieldLogger, domainPolicy DomainPolicy, source JWKSSource, allowInsecureScheme bool, setKeyUse bool, jwtIssuer string, jwksURI string, serverPathPrefix string) *Handler {
+	if serverPathPrefix == "" {
+		serverPathPrefix = "/"
+	}
 	h := &Handler{
 		domainPolicy:        domainPolicy,
 		source:              source,
 		allowInsecureScheme: allowInsecureScheme,
 		setKeyUse:           setKeyUse,
 		log:                 log,
 		jwtIssuer:           jwtIssuer,
+		jwksURI:             jwksURI,
+		serverPathPrefix:    serverPathPrefix,
 	}
 
 	mux := http.NewServeMux()
-	mux.Handle("/.well-known/openid-configuration", handlers.ProxyHeaders(http.HandlerFunc(h.serveWellKnown)))
-	mux.Handle("/keys", http.HandlerFunc(h.serveKeys))
+	wkPath, err := url.JoinPath(serverPathPrefix, "/.well-known/openid-configuration")
+	if err != nil {
+		return nil
+	}
+	jwksPath, err := url.JoinPath(serverPathPrefix, "/keys")
+	if err != nil {
+		return nil
+	}
+
+	mux.Handle(wkPath, handlers.ProxyHeaders(http.HandlerFunc(h.serveWellKnown)))
+	mux.Handle(jwksPath, http.HandlerFunc(h.serveKeys))
 
 	h.Handler = mux
 	return h
@@ -56,6 +72,7 @@ func (h *Handler) serveWellKnown(w http.ResponseWriter, r *http.Request) {
 	var host string
 	var path string
 	var urlScheme string
+	var jwksURI url.URL
 	if h.jwtIssuer != "" {
 		jwtIssuerURL, _ := url.Parse(h.jwtIssuer)
 		host = jwtIssuerURL.Host
@@ -68,8 +85,27 @@ func (h *Handler) serveWellKnown(w http.ResponseWriter, r *http.Request) {
 			urlScheme = "http"
 		}
 	}
+	if h.jwksURI != "" {
+		tmpURI, _ := url.Parse(h.jwksURI)
+		jwksURI = *tmpURI
+	} else {
+		tmpURLScheme := "https"
+		if h.allowInsecureScheme && r.TLS == nil && r.URL.Scheme != "https" {
+			tmpURLScheme = "http"
+		}
+		keysPath, err := url.JoinPath(h.serverPathPrefix, "keys")
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+		jwksURI = url.URL{
+			Scheme: tmpURLScheme,
+			Host:   r.Host,
+			Path:   keysPath,
+		}
+	}
 
-	if err := h.verifyHost(host); err != nil {
+	if err := h.verifyHost(r.Host); err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}
@@ -80,8 +116,6 @@ func (h *Handler) serveWellKnown(w http.ResponseWriter, r *http.Request) {
 		Path:   path,
 	}
 
-	jwksURI := issuerURL.JoinPath("keys")
-
 	doc := struct {
 		Issuer  string `json:"issuer"`
 		JWKSURI string `json:"jwks_uri"`