Fix loading JWKS

The Gitlab route /-/jwks was an alias which returns a 404 now. This fixes the error message: Error: building authentication provider: initializing GitLab authentication provider: loading JWKS: failed to extract response via extractor function: invalid HTTP status code: 404
networkteam · Feb 7, 2025 · e686fee · e686fee
1 parent 87315cd
commit e686fee
Showing 1 changed file with 46 additions and 46 deletions.
diff --git a/authentication_provider_gitlab.go b/authentication_provider_gitlab.go
@@ -1,18 +1,18 @@
 package vignet
 
 import (
-	"context"
-	"fmt"
-	"net/http"
-	netUrl "net/url"
-	"strings"
+  "context"
+  "fmt"
+  "net/http"
+  netUrl "net/url"
+  "strings"
 
-	"github.com/MicahParks/keyfunc"
-	"github.com/golang-jwt/jwt/v4"
+  "github.com/MicahParks/keyfunc"
+  "github.com/golang-jwt/jwt/v4"
 )
 
 type GitLabAuthenticationProvider struct {
-	jwks *keyfunc.JWKS
+  jwks *keyfunc.JWKS
 }
 
 var _ AuthenticationProvider = &GitLabAuthenticationProvider{}
@@ -22,51 +22,51 @@ var _ AuthenticationProvider = &GitLabAuthenticationProvider{}
 // It takes the GitLab instance URL as an argument.
 // The context is used to cancel the refreshing of keys.
 func NewGitLabAuthenticationProvider(ctx context.Context, url string) (*GitLabAuthenticationProvider, error) {
-	parsedURL, err := netUrl.Parse(url)
-	if err != nil {
-		return nil, fmt.Errorf("invalid URL: %w", err)
-	}
+  parsedURL, err := netUrl.Parse(url)
+  if err != nil {
+    return nil, fmt.Errorf("invalid URL: %w", err)
+  }
 
-	parsedURL.Path = "/-/jwks"
+  parsedURL.Path = "/oauth/discovery/keys"
 
-	jwks, err := keyfunc.Get(parsedURL.String(), keyfunc.Options{
-		Ctx: ctx,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("loading JWKS: %w", err)
-	}
+  jwks, err := keyfunc.Get(parsedURL.String(), keyfunc.Options{
+    Ctx: ctx,
+  })
+  if err != nil {
+    return nil, fmt.Errorf("loading JWKS: %w", err)
+  }
 
-	p := &GitLabAuthenticationProvider{
-		jwks: jwks,
-	}
+  p := &GitLabAuthenticationProvider{
+    jwks: jwks,
+  }
 
-	return p, nil
+  return p, nil
 }
 
 func (p *GitLabAuthenticationProvider) AuthCtxFromRequest(r *http.Request) (AuthCtx, error) {
-	authorizationHeader := r.Header.Get("Authorization")
-	if authorizationHeader == "" {
-		return AuthCtx{
-			Error: fmt.Errorf("missing Authorization header"),
-		}, nil
-	}
-	const bearerPrefix = "Bearer "
-	if !strings.HasPrefix(authorizationHeader, bearerPrefix) {
-		return AuthCtx{
-			Error: fmt.Errorf("invalid Bearer scheme in Authorization header"),
-		}, nil
-	}
-	encodedJWT := authorizationHeader[len(bearerPrefix):]
+  authorizationHeader := r.Header.Get("Authorization")
+  if authorizationHeader == "" {
+    return AuthCtx{
+      Error: fmt.Errorf("missing Authorization header"),
+    }, nil
+  }
+  const bearerPrefix = "Bearer "
+  if !strings.HasPrefix(authorizationHeader, bearerPrefix) {
+    return AuthCtx{
+      Error: fmt.Errorf("invalid Bearer scheme in Authorization header"),
+    }, nil
+  }
+  encodedJWT := authorizationHeader[len(bearerPrefix):]
 
-	token, err := jwt.ParseWithClaims(encodedJWT, &GitLabClaims{}, p.jwks.Keyfunc, jwt.WithValidMethods([]string{"RS256"}))
-	if err != nil {
-		return AuthCtx{
-			Error: fmt.Errorf("parsing JWT: %w", err),
-		}, nil
-	}
+  token, err := jwt.ParseWithClaims(encodedJWT, &GitLabClaims{}, p.jwks.Keyfunc, jwt.WithValidMethods([]string{"RS256"}))
+  if err != nil {
+    return AuthCtx{
+      Error: fmt.Errorf("parsing JWT: %w", err),
+    }, nil
+  }
 
-	claims := token.Claims.(*GitLabClaims)
-	return AuthCtx{
-		GitLabClaims: claims,
-	}, nil
+  claims := token.Claims.(*GitLabClaims)
+  return AuthCtx{
+    GitLabClaims: claims,
+  }, nil
 }