Testing Authentik SSO Issues

2025-12-12 14:36:48 +03:00 · 2025-09-07 19:09:00 +05:30
parent c4b353aae8
commit c2f6e73054
6 changed files with 169 additions and 42 deletions
--- a/src/pages/api/auth/sso/register.ts
+++ b/src/pages/api/auth/sso/register.ts
@@ -25,9 +25,34 @@ export async function POST(context: APIContext) {
      );
    }

+    // Validate issuer URL format
+    let validatedIssuer = issuer;
+    if (issuer && typeof issuer === 'string' && issuer.trim() !== '') {
+      try {
+        const issuerUrl = new URL(issuer.trim());
+        validatedIssuer = issuerUrl.toString().replace(/\/$/, ''); // Remove trailing slash
+      } catch (e) {
+        return new Response(
+          JSON.stringify({ error: `Invalid issuer URL format: ${issuer}` }),
+          {
+            status: 400,
+            headers: { "Content-Type": "application/json" },
+          }
+        );
+      }
+    } else {
+      return new Response(
+        JSON.stringify({ error: "Issuer URL cannot be empty" }),
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json" },
+        }
+      );
+    }
+
    let registrationBody: any = {
      providerId,
-      issuer,
+      issuer: validatedIssuer,
      domain,
      organizationId,
    };
@@ -91,14 +116,27 @@ export async function POST(context: APIContext) {
      // Use provided scopes or default if not specified
      const finalScopes = scopes || ["openid", "email", "profile"];

+      // Validate endpoint URLs if provided
+      const validateUrl = (url: string | undefined, name: string): string | undefined => {
+        if (!url) return undefined;
+        if (typeof url !== 'string' || url.trim() === '') return undefined;
+        try {
+          const validatedUrl = new URL(url.trim());
+          return validatedUrl.toString();
+        } catch (e) {
+          console.warn(`Invalid ${name} URL: ${url}, skipping`);
+          return undefined;
+        }
+      };
+
      registrationBody.oidcConfig = {
-        clientId,
-        clientSecret,
-        authorizationEndpoint,
-        tokenEndpoint,
-        jwksEndpoint,
-        discoveryEndpoint,
-        userInfoEndpoint,
+        clientId: clientId || undefined,
+        clientSecret: clientSecret || undefined,
+        authorizationEndpoint: validateUrl(authorizationEndpoint, 'authorization endpoint'),
+        tokenEndpoint: validateUrl(tokenEndpoint, 'token endpoint'),
+        jwksEndpoint: validateUrl(jwksEndpoint, 'JWKS endpoint'),
+        discoveryEndpoint: validateUrl(discoveryEndpoint, 'discovery endpoint'),
+        userInfoEndpoint: validateUrl(userInfoEndpoint, 'userinfo endpoint'),
        scopes: finalScopes,
        pkce,
      };
--- a/src/pages/api/sso/discover.ts
+++ b/src/pages/api/sso/discover.ts
@@ -10,26 +10,71 @@ export async function POST(context: APIContext) {

    const { issuer } = await context.request.json();

-    if (!issuer) {
-      return new Response(JSON.stringify({ error: "Issuer URL is required" }), {
+    if (!issuer || typeof issuer !== 'string' || issuer.trim() === '') {
+      return new Response(JSON.stringify({ error: "Issuer URL is required and must be a valid string" }), {
        status: 400,
        headers: { "Content-Type": "application/json" },
      });
    }

-    // Ensure issuer URL ends without trailing slash for well-known discovery
-    const cleanIssuer = issuer.replace(/\/$/, "");
+    // Validate issuer URL format
+    let cleanIssuer: string;
+    try {
+      const issuerUrl = new URL(issuer.trim());
+      cleanIssuer = issuerUrl.toString().replace(/\/$/, ""); // Remove trailing slash
+    } catch (e) {
+      return new Response(
+        JSON.stringify({ 
+          error: "Invalid issuer URL format",
+          details: `The provided URL "${issuer}" is not a valid URL. For Authentik, use format: https://your-authentik-domain/application/o/<app-slug>/`
+        }),
+        {
+          status: 400,
+          headers: { "Content-Type": "application/json" },
+        }
+      );
+    }
+
    const discoveryUrl = `${cleanIssuer}/.well-known/openid-configuration`;

    try {
-      // Fetch OIDC discovery document
-      const response = await fetch(discoveryUrl);
+      // Fetch OIDC discovery document with timeout
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), 10000); // 10 second timeout
+      
+      let response: Response;
+      try {
+        response = await fetch(discoveryUrl, {
+          signal: controller.signal,
+          headers: {
+            'Accept': 'application/json',
+          }
+        });
+      } catch (fetchError) {
+        if (fetchError instanceof Error && fetchError.name === 'AbortError') {
+          throw new Error(`Request timeout: The OIDC provider at ${cleanIssuer} did not respond within 10 seconds`);
+        }
+        throw new Error(`Network error: Could not connect to ${cleanIssuer}. Please verify the URL is correct and accessible.`);
+      } finally {
+        clearTimeout(timeoutId);
+      }
      
      if (!response.ok) {
-        throw new Error(`Failed to fetch discovery document: ${response.status}`);
+        if (response.status === 404) {
+          throw new Error(`OIDC discovery document not found at ${discoveryUrl}. For Authentik, ensure you're using the correct application slug in the URL.`);
+        } else if (response.status >= 500) {
+          throw new Error(`OIDC provider error (${response.status}): The server at ${cleanIssuer} returned an error.`);
+        } else {
+          throw new Error(`Failed to fetch discovery document (${response.status}): ${response.statusText}`);
+        }
      }

-      const config = await response.json();
+      let config: any;
+      try {
+        config = await response.json();
+      } catch (parseError) {
+        throw new Error(`Invalid response: The discovery document from ${cleanIssuer} is not valid JSON.`);
+      }

      // Extract the essential endpoints
      const discoveredConfig = {