Fix Authentik WIF token endpoint
This commit is contained in:
parent
5ef4fdef64
commit
8180c3c35a
2 changed files with 33 additions and 1 deletions
|
|
@ -7,6 +7,7 @@ pool_id="${BURROW_GOOGLE_WIF_POOL_ID:-burrow-authentik}"
|
|||
provider_id="${BURROW_GOOGLE_WIF_PROVIDER_ID:-forgejo-runners}"
|
||||
service_account="${BURROW_GOOGLE_WIF_SERVICE_ACCOUNT:-burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com}"
|
||||
authentik_issuer="${BURROW_AUTHENTIK_WIF_ISSUER:-https://auth.burrow.net/application/o/google-cloud/}"
|
||||
authentik_token_endpoint="${BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT:-}"
|
||||
authentik_audience="${BURROW_AUTHENTIK_WIF_AUDIENCE:-google-wif.burrow.net}"
|
||||
authentik_client_id="${BURROW_AUTHENTIK_WIF_CLIENT_ID:-${AUTHENTIK_GOOGLE_WIF_CLIENT_ID:-google-wif.burrow.net}}"
|
||||
authentik_client_secret="${BURROW_AUTHENTIK_WIF_CLIENT_SECRET:-${AUTHENTIK_GOOGLE_WIF_CLIENT_SECRET:-}}"
|
||||
|
|
@ -30,6 +31,7 @@ Inputs:
|
|||
BURROW_GOOGLE_WIF_PROVIDER_ID
|
||||
BURROW_GOOGLE_WIF_SERVICE_ACCOUNT
|
||||
BURROW_AUTHENTIK_WIF_ISSUER
|
||||
BURROW_AUTHENTIK_WIF_TOKEN_ENDPOINT
|
||||
BURROW_AUTHENTIK_WIF_AUDIENCE
|
||||
BURROW_AUTHENTIK_WIF_TOKEN or BURROW_AUTHENTIK_WIF_TOKEN_FILE
|
||||
|
||||
|
|
@ -66,6 +68,32 @@ require_command gcloud
|
|||
require_command curl
|
||||
require_command jq
|
||||
|
||||
resolve_token_endpoint() {
|
||||
if [[ -n "$authentik_token_endpoint" ]]; then
|
||||
printf '%s\n' "$authentik_token_endpoint"
|
||||
return
|
||||
fi
|
||||
|
||||
local issuer_no_slash="${authentik_issuer%/}"
|
||||
local discovered=""
|
||||
if discovered="$(
|
||||
curl -fsS "${issuer_no_slash}/.well-known/openid-configuration" 2>/dev/null \
|
||||
| jq -r '.token_endpoint // empty' 2>/dev/null
|
||||
)" && [[ -n "$discovered" ]]; then
|
||||
printf '%s\n' "$discovered"
|
||||
return
|
||||
fi
|
||||
|
||||
case "$issuer_no_slash" in
|
||||
*/application/o/*)
|
||||
printf '%s/application/o/token/\n' "${issuer_no_slash%%/application/o/*}"
|
||||
;;
|
||||
*)
|
||||
printf '%s/token/\n' "$issuer_no_slash"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
mkdir -p "$work_dir"
|
||||
chmod 0700 "$work_dir"
|
||||
|
||||
|
|
@ -85,7 +113,7 @@ else
|
|||
echo "missing Authentik WIF token. Set BURROW_AUTHENTIK_WIF_TOKEN, BURROW_AUTHENTIK_WIF_TOKEN_FILE, or BURROW_AUTHENTIK_WIF_CLIENT_SECRET." >&2
|
||||
exit 1
|
||||
fi
|
||||
token_endpoint="${authentik_issuer%/}/token/"
|
||||
token_endpoint="$(resolve_token_endpoint)"
|
||||
curl -fsS \
|
||||
-u "${authentik_client_id}:${authentik_client_secret}" \
|
||||
-d grant_type=client_credentials \
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue