support allowlist mode and fixed redirect mode simultaneously (#19)

Signed-off-by: Christian Troelsen <christian.troelsen@tryg.dk>

format

fix again

Author: WhammyLeaf

config.go

@@ -11,9 +11,10 @@ import (
 // Config holds OAuth configuration
 type Config struct {
 	// OAuth settings
-	Mode         string // "native" or "proxy"
-	Provider     string // "hmac", "okta", "google", "azure"
-	RedirectURIs string // Redirect URIs (single or comma-separated)
+	Mode             string // "native" or "proxy"
+	Provider         string // "hmac", "okta", "google", "azure"
+	RedirectURIs     string // Redirect URIs allowlist (single or comma-separated)
+	FixedRedirectURI string // Optional fixed redirect URI used for proxying callbacks
 
 	// OIDC configuration
 	Issuer       string
@@ -89,8 +90,8 @@ func (c *Config) Validate() error {
 		if c.ServerURL == "" {
 			return fmt.Errorf("proxy mode requires ServerURL")
 		}
-		if c.RedirectURIs == "" {
-			return fmt.Errorf("proxy mode requires RedirectURIs")
+		if c.RedirectURIs == "" && c.FixedRedirectURI == "" {
+			return fmt.Errorf("proxy mode requires RedirectURIs or FixedRedirectURI")
 		}
 	}
 
@@ -197,6 +198,12 @@ func (b *ConfigBuilder) WithRedirectURIs(uris string) *ConfigBuilder {
 	return b
 }
 
+// WithFixedRedirectURI sets the fixed redirect URI used for proxying callbacks
+func (b *ConfigBuilder) WithFixedRedirectURI(uri string) *ConfigBuilder {
+	b.config.FixedRedirectURI = uri
+	return b
+}
+
 // WithIssuer sets the OIDC issuer
 func (b *ConfigBuilder) WithIssuer(issuer string) *ConfigBuilder {
 	b.config.Issuer = issuer
@@ -319,6 +326,7 @@ func FromEnv() (*Config, error) {
 		WithMode(getEnv("OAUTH_MODE", "")).
 		WithProvider(getEnv("OAUTH_PROVIDER", "")).
 		WithRedirectURIs(getEnv("OAUTH_REDIRECT_URIS", "")).
+		WithFixedRedirectURI(getEnv("OAUTH_FIXED_REDIRECT_URI", "")).
 		WithIssuer(getEnv("OIDC_ISSUER", "")).
 		WithAudience(getEnv("OIDC_AUDIENCE", "")).
 		WithClientID(getEnv("OIDC_CLIENT_ID", "")).

handlers.go

@@ -40,6 +40,8 @@ type OAuth2Config struct {
 	Mode         string // "native" or "proxy"
 	Provider     string
 	RedirectURIs string
+	// FixedRedirectURI is an optional fixed redirect URI used when proxying callbacks
+	FixedRedirectURI string
 
 	// OIDC configuration
 	Issuer       string
@@ -184,21 +186,22 @@ func NewOAuth2ConfigFromConfig(cfg *Config, version string) *OAuth2Config {
 	}
 
 	return &OAuth2Config{
-		Enabled:         true,
-		Mode:            cfg.Mode,
-		Provider:        cfg.Provider,
-		RedirectURIs:    cfg.RedirectURIs,
-		Issuer:          cfg.Issuer,
-		Audience:        cfg.Audience,
-		ClientID:        cfg.ClientID,
-		ClientSecret:    cfg.ClientSecret,
-		Scopes:          scopes,
-		MCPHost:         mcpHost,
-		MCPPort:         mcpPort,
-		MCPURL:          mcpURL,
-		Scheme:          scheme,
-		Version:         version,
-		stateSigningKey: cfg.JWTSecret,
+		Enabled:          true,
+		Mode:             cfg.Mode,
+		Provider:         cfg.Provider,
+		RedirectURIs:     cfg.RedirectURIs,
+		FixedRedirectURI: cfg.FixedRedirectURI,
+		Issuer:           cfg.Issuer,
+		Audience:         cfg.Audience,
+		ClientID:         cfg.ClientID,
+		ClientSecret:     cfg.ClientSecret,
+		Scopes:           scopes,
+		MCPHost:          mcpHost,
+		MCPPort:          mcpPort,
+		MCPURL:           mcpURL,
+		Scheme:           scheme,
+		Version:          version,
+		stateSigningKey:  cfg.JWTSecret,
 	}
 }
 
@@ -298,12 +301,22 @@ func (h *OAuth2Handler) HandleAuthorize(w http.ResponseWriter, r *http.Request)
 
 	// Determine redirect URI strategy based on configuration
 	var redirectURI string
-	hasFixedRedirect := h.config.RedirectURIs != "" && !strings.Contains(h.config.RedirectURIs, ",")
+	actualState := state
+
+	if h.config.RedirectURIs != "" {
+		// Allowlist mode: Client's URI must be in allowlist, used directly (no proxy)
+		if h.isValidRedirectURI(clientRedirectURI) {
+			redirectURI = clientRedirectURI
+			h.logger.Info("OAuth2: Allowlist mode - using client URI from allowlist: %s", redirectURI)
+		} else {
+			h.logger.Warn("SECURITY: Redirect URI not in allowlist: %s from %s", clientRedirectURI, r.RemoteAddr)
+			h.logger.Info("SECURITY: Will try fixed redirect mode next")
+		}
+	}
 
-	if hasFixedRedirect {
+	if redirectURI == "" && h.config.FixedRedirectURI != "" {
 		// Fixed redirect mode: Use server's redirect URI to OAuth provider, proxy back to client
-		redirectURI = strings.TrimSpace(h.config.RedirectURIs)
-		h.logger.Info("OAuth2: Fixed redirect mode - using server URI: %s (will proxy to client: %s)", redirectURI, clientRedirectURI)
+		h.logger.Info("OAuth2: Fixed redirect mode - using server URI: %s (will proxy to client: %s)", h.config.FixedRedirectURI, clientRedirectURI)
 
 		// Validate client redirect URI format and security
 		if clientRedirectURI == "" {
@@ -347,30 +360,9 @@ func (h *OAuth2Handler) HandleAuthorize(w http.ResponseWriter, r *http.Request)
 			http.Error(w, "Fixed redirect mode only allows localhost redirect URIs for security. Use allowlist mode for production.", http.StatusBadRequest)
 			return
 		}
-
+		redirectURI = strings.TrimSpace(h.config.FixedRedirectURI)
 		h.logger.Info("OAuth2: Validated localhost redirect URI for proxy: %s", clientRedirectURI)
-	} else if h.config.RedirectURIs != "" {
-		// Allowlist mode: Client's URI must be in allowlist, used directly (no proxy)
-		if !h.isValidRedirectURI(clientRedirectURI) {
-			h.logger.Warn("SECURITY: Redirect URI not in allowlist: %s from %s", clientRedirectURI, r.RemoteAddr)
-			http.Error(w, "Invalid redirect_uri", http.StatusBadRequest)
-			return
-		}
-		redirectURI = clientRedirectURI
-		h.logger.Info("OAuth2: Allowlist mode - using client URI from allowlist: %s", redirectURI)
-	} else {
-		// No configuration: Reject for security
-		h.logger.Warn("SECURITY: No redirect URIs configured, rejecting: %s from %s", clientRedirectURI, r.RemoteAddr)
-		http.Error(w, "Invalid redirect_uri", http.StatusBadRequest)
-		return
-	}
-
-	// Update OAuth2 config with redirect URI
-	h.oauth2Config.RedirectURL = redirectURI
-
-	// For fixed redirect mode, create signed state with client redirect URI
-	actualState := state
-	if hasFixedRedirect {
+		// For fixed redirect mode, create signed state with client redirect URI
 		// Create state data with redirect URI
 		stateData := map[string]string{
 			"state":    state,
@@ -389,6 +381,16 @@ func (h *OAuth2Handler) HandleAuthorize(w http.ResponseWriter, r *http.Request)
 		h.logger.Info("OAuth2: Signed state for proxy callback (length: %d)", len(signedState))
 	}
 
+	if redirectURI == "" {
+		// No configuration: Reject for security
+		h.logger.Warn("SECURITY: No redirect URIs configured, rejecting: %s from %s", clientRedirectURI, r.RemoteAddr)
+		http.Error(w, "Invalid redirect_uri", http.StatusBadRequest)
+		return
+	}
+
+	// Update OAuth2 config with redirect URI
+	h.oauth2Config.RedirectURL = redirectURI
+
 	// Create authorization URL
 	authURL := h.oauth2Config.AuthCodeURL(actualState, oauth2.AccessTypeOffline)
 
@@ -449,7 +451,7 @@ func (h *OAuth2Handler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// If using fixed redirect URI, handle proxy callback
-	if h.config.RedirectURIs != "" && !strings.Contains(h.config.RedirectURIs, ",") {
+	if h.config.FixedRedirectURI != "" {
 		// Verify and decode signed state parameter
 		stateData, err := h.verifyState(state)
 		if err != nil {
@@ -546,8 +548,8 @@ func (h *OAuth2Handler) HandleToken(w http.ResponseWriter, r *http.Request) {
 
 		// Set redirect URI for token exchange
 		redirectURI := clientRedirectURI
-		if h.config.RedirectURIs != "" && !strings.Contains(h.config.RedirectURIs, ",") {
-			redirectURI = strings.TrimSpace(h.config.RedirectURIs)
+		if h.config.FixedRedirectURI != "" && !h.isValidRedirectURI(clientRedirectURI) {
+			redirectURI = strings.TrimSpace(h.config.FixedRedirectURI)
 			h.logger.Info("OAuth2: Token exchange using fixed redirect URI: %s", redirectURI)
 		}
 
@@ -802,8 +804,6 @@ func isLocalhostURI(uri string) bool {
 // isValidRedirectURI validates redirect URI against allowlist for security
 func (h *OAuth2Handler) isValidRedirectURI(uri string) bool {
 	if h.config.RedirectURIs == "" {
-		// No redirect URIs configured - reject all redirects for security
-		h.logger.Warn("WARNING: No OAuth redirect URIs configured, rejecting redirect: %s", uri)
 		return false
 	}
 

metadata.go

@@ -194,11 +194,16 @@ func (h *OAuth2Handler) HandleRegister(w http.ResponseWriter, r *http.Request) {
 	if redirectUris, ok := regRequest["redirect_uris"]; ok {
 		response["redirect_uris"] = redirectUris
 		h.logger.Info("OAuth2: Registration allowing client redirect URIs: %v", redirectUris)
+	} else if h.config.FixedRedirectURI != "" {
+		// Fallback to fixed redirect URI if no client URIs provided
+		trimmedURI := strings.TrimSpace(h.config.FixedRedirectURI)
+		response["redirect_uris"] = []string{trimmedURI}
+		h.logger.Info("OAuth2: Registration response using fixed redirect URI: %s", trimmedURI)
 	} else if h.config.RedirectURIs != "" && !strings.Contains(h.config.RedirectURIs, ",") {
-		// Fallback to fixed redirect URI if no client URIs provided (single URI only)
+		// Backwards-compatible fallback: single RedirectURIs value
 		trimmedURI := strings.TrimSpace(h.config.RedirectURIs)
 		response["redirect_uris"] = []string{trimmedURI}
-		h.logger.Info("OAuth2: Registration response using fixed redirect URI: %s", trimmedURI)
+		h.logger.Info("OAuth2: Registration response using single redirect URI from RedirectURIs: %s", trimmedURI)
 	}
 
 	w.Header().Set("Content-Type", "application/json")