Fix OIDC redirect url

Dockerfile

@@ -1,5 +1,5 @@
 
-FROM golang:1.22 AS builder
+FROM golang:1.23 AS builder
 
 WORKDIR /app
 

docker-compose.yml

@@ -26,6 +26,7 @@ services:
                 "--key-file", "/app/config/localhost.key",
                 "--irods-env", "/app/config/app_irods_environment.json",
                 "--enable-oidc",
+                "--index-interval", "60s",
                 "--log-level", "trace"]
       # Set the following environment variables in a .env file (files named .env
       # are declared in .gitignore):
@@ -39,6 +40,7 @@ services:
       # OIDC_CLIENT_ID
       # OIDC_CLIENT_SECRET
       # OIDC_ISSUER_URL
+      # OIDC_CALLBACK_URL
       env_file: .env
       ports:
         - "3333:3333"

go.mod

@@ -1,6 +1,6 @@
 module sqyrrl
 
-go 1.22
+go 1.23
 
 require (
 	github.com/alexedwards/scs/v2 v2.8.0

server/handlers.go

@@ -50,7 +50,9 @@ func HandleHomePage(server *SqyrrlServer) http.Handler {
 		requestPath := r.URL.Path
 		requestMethod := r.Method
 
+		// Redirect all GET requests to the iRODS API
 		if requestPath != "/" && requestMethod == "GET" {
+			// No favicon.ico here. Prevent this redirecting to look in iRODS for it
 			if requestPath == "/favicon.ico" {
 				writeErrorResponse(logger, w, http.StatusNotFound)
 				return
@@ -214,6 +216,8 @@ func HandleAuthCallback(server *SqyrrlServer) http.Handler {
 			Str("email", claims.Email).
 			Msg("User logged in")
 
+		logger.Debug().Msg("Redirecting logged in user to home page")
+
 		http.Redirect(w, r, "/", http.StatusFound)
 	})
 }

server/routes.go

@@ -47,12 +47,13 @@ func (server *SqyrrlServer) addRoutes(mux *http.ServeMux) {
 	getStatic := http.StripPrefix(EndpointStatic, HandleStaticContent(server))
 	getObject := http.StripPrefix(EndpointIRODS, HandleIRODSGet(server))
 
+	// See the home page template for the login/logout button that POSTs to these endpoints
 	loginHandler := sm.LoadAndSave(correlate(logRequest(HandleLogin(server))))
-	server.addRoute(mux, "GET", EndpointLogin, loginHandler)
-
+	server.addRoute(mux, "POST", EndpointLogin, loginHandler)
 	logoutHandler := sm.LoadAndSave(correlate(logRequest(HandleLogout(server))))
 	server.addRoute(mux, "POST", EndpointLogout, logoutHandler)
 
+	// OIDC authentication callback endpoint
 	authCallbackHandler := sm.LoadAndSave(correlate(logRequest(HandleAuthCallback(server))))
 	server.addRoute(mux, "GET", EndpointAuthCallback, authCallbackHandler)
 
@@ -61,12 +62,12 @@ func (server *SqyrrlServer) addRoutes(mux *http.ServeMux) {
 	staticHandler := sm.LoadAndSave(sanitiseURL(correlate(logRequest(getStatic))))
 	server.addRoute(mux, "GET", EndpointStatic, staticHandler)
 
-	// The endpoint used to access files in iRODS
+	// The API endpoint used to access files in iRODS
 	irodsGetHandler := sm.LoadAndSave(sanitiseURL(correlate(logRequest(getObject))))
 	server.addRoute(mux, "GET", EndpointIRODS, irodsGetHandler)
 
 	// The root endpoint hosts a home page. Any requests relative to it are redirected
-	// to the API endpoint
+	// to the iRODS API endpoint
 	rootHandler := sm.LoadAndSave(sanitiseURL(correlate(logRequest(HandleHomePage(server)))))
 	server.addRoute(mux, "GET", EndpointRoot, rootHandler)
 }

server/server.go

@@ -26,6 +26,7 @@ import (
 	"net"
 	"net/http"
 	"net/mail"
+	"net/url"
 	"os"
 	"os/signal"
 	"path/filepath"
@@ -82,9 +83,10 @@ const (
 )
 
 const (
-	EnvClientID     = "OIDC_CLIENT_ID"
-	EnvClientSecret = "OIDC_CLIENT_SECRET"
-	EnvOIDCIssuer   = "OIDC_ISSUER_URL"
+	EnvClientID        = "OIDC_CLIENT_ID"
+	EnvClientSecret    = "OIDC_CLIENT_SECRET"
+	EnvOIDCIssuerURL   = "OIDC_ISSUER_URL"
+	EnvOIDCRedirectURL = "OIDC_CALLBACK_URL"
 )
 
 const (
@@ -162,7 +164,8 @@ func NewSqyrrlServer(logger zerolog.Logger, config Config) (server *SqyrrlServer
 	var oidcConfig *oidc.Config
 	var oidcProvider *oidc.Provider
 	var oauth2Config *oauth2.Config
-	var clientID, clientSecret, oidcIssuer string
+	var clientID, clientSecret, oidcIssuerURL, oidcRedirectURL string
+	var issuerURL, redirectURL *url.URL
 
 	if config.EnableOIDC {
 		if clientID, err = getEnv(EnvClientID); err != nil {
@@ -171,15 +174,33 @@ func NewSqyrrlServer(logger zerolog.Logger, config Config) (server *SqyrrlServer
 		if clientSecret, err = getEnv(EnvClientSecret); err != nil {
 			return nil, err
 		}
-		if oidcIssuer, err = getEnv(EnvOIDCIssuer); err != nil {
+		if oidcIssuerURL, err = getEnv(EnvOIDCIssuerURL); err != nil {
+			return nil, err
+		}
+		if oidcRedirectURL, err = getEnv(EnvOIDCRedirectURL); err != nil {
 			return nil, err
 		}
 
 		oidcConfig = &oidc.Config{
 			ClientID: clientID,
 		}
 
-		oidcProvider, err = oidc.NewProvider(context.Background(), oidcIssuer)
+		// Parse the provided URLs to ensure they are valid
+		issuerURL, err = url.Parse(oidcIssuerURL)
+		if err != nil {
+			return nil, err
+		}
+		redirectURL, err = url.Parse(oidcRedirectURL)
+		if err != nil {
+			return nil, err
+		}
+		redirectURL, err = url.Parse(redirectURL.Scheme + "://" +
+			net.JoinHostPort(redirectURL.Hostname(), config.Port))
+		if err != nil {
+			return nil, err
+		}
+
+		oidcProvider, err = oidc.NewProvider(context.Background(), issuerURL.String())
 		if err != nil {
 			return nil, err
 		}
@@ -188,7 +209,7 @@ func NewSqyrrlServer(logger zerolog.Logger, config Config) (server *SqyrrlServer
 			ClientID:     clientID,
 			ClientSecret: clientSecret,
 			Endpoint:     oidcProvider.Endpoint(),
-			RedirectURL:  "https://" + net.JoinHostPort("localhost", config.Port) + EndpointAuthCallback,
+			RedirectURL:  redirectURL.JoinPath(EndpointAuthCallback).String(),
 			Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
 		}