fix: use PublicURL where given (ory#2441)

Closes ory#2422 BREAKING CHANGE: This patch changes how issuer and public URLs are used. Please be aware that going forward, the public URL is used for redirects. Previously, the issuer URL was used. If no public URL is set, the issuer URL will be used as before.
Sc0rpi0n101 · Apr 4, 2021 · eefefd5 · eefefd5
1 parent 666cd25
commit eefefd5
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 6 deletions.
diff --git a/consent/handler.go b/consent/handler.go
@@ -701,7 +701,7 @@ func (h *Handler) AcceptLogoutRequest(w http.ResponseWriter, r *http.Request, ps
 	}
 
 	h.r.Writer().Write(w, r, &RequestHandlerResponse{
-		RedirectTo: urlx.SetQuery(urlx.AppendPaths(h.c.IssuerURL(), "/oauth2/sessions/logout"), url.Values{"logout_verifier": {c.Verifier}}).String(),
+		RedirectTo: urlx.SetQuery(urlx.AppendPaths(h.c.PublicURL(), "/oauth2/sessions/logout"), url.Values{"logout_verifier": {c.Verifier}}).String(),
 	})
 }
 

diff --git a/driver/config/provider.go b/driver/config/provider.go
@@ -422,8 +422,8 @@ func (p *Provider) adminFallbackURL(path string) *url.URL {
 }
 
 func (p *Provider) publicFallbackURL(path string) *url.URL {
-	if len(p.IssuerURL().String()) > 0 {
-		return urlx.AppendPaths(p.IssuerURL(), path)
+	if len(p.PublicURL().String()) > 0 {
+		return urlx.AppendPaths(p.PublicURL(), path)
 	}
 
 	return p.fallbackURL(path, p.publicHost(), p.publicPort())
@@ -459,7 +459,7 @@ func (p *Provider) ErrorURL() *url.URL {
 }
 
 func (p *Provider) PublicURL() *url.URL {
-	return urlRoot(p.p.RequestURIF(KeyPublicURL, p.publicFallbackURL("/")))
+	return urlRoot(p.p.RequestURIF(KeyPublicURL, p.IssuerURL()))
 }
 
 func (p *Provider) IssuerURL() *url.URL {
@@ -473,11 +473,11 @@ func (p *Provider) OAuth2ClientRegistrationURL() *url.URL {
 }
 
 func (p *Provider) OAuth2TokenURL() *url.URL {
-	return p.p.RequestURIF(KeyOAuth2TokenURL, urlx.AppendPaths(p.IssuerURL(), "/oauth2/token"))
+	return p.p.RequestURIF(KeyOAuth2TokenURL, urlx.AppendPaths(p.PublicURL(), "/oauth2/token"))
 }
 
 func (p *Provider) OAuth2AuthURL() *url.URL {
-	return p.p.RequestURIF(KeyOAuth2AuthURL, urlx.AppendPaths(p.IssuerURL(), "/oauth2/auth"))
+	return p.p.RequestURIF(KeyOAuth2AuthURL, urlx.AppendPaths(p.PublicURL(), "/oauth2/auth"))
 }
 
 func (p *Provider) JWKSURL() *url.URL {

diff --git a/driver/config/provider_test.go b/driver/config/provider_test.go
@@ -146,6 +146,36 @@ func TestProviderIssuerURL(t *testing.T) {
 	assert.Equal(t, "http://hydra.localhost/", p2.IssuerURL().String())
 }
 
+func TestProviderIssuerPublicURL(t *testing.T) {
+	l := logrusx.New("", "")
+	l.Logrus().SetOutput(ioutil.Discard)
+	p := MustNew(l)
+	p.MustSet(KeyIssuerURL, "http://hydra.localhost")
+	p.MustSet(KeyPublicURL, "http://hydra.example")
+
+	assert.Equal(t, "http://hydra.localhost/", p.IssuerURL().String())
+	assert.Equal(t, "http://hydra.example/", p.PublicURL().String())
+	assert.Equal(t, "http://hydra.localhost/.well-known/jwks.json", p.JWKSURL().String())
+	assert.Equal(t, "http://hydra.example/oauth2/fallbacks/consent", p.ConsentURL().String())
+	assert.Equal(t, "http://hydra.example/oauth2/fallbacks/login", p.LoginURL().String())
+	assert.Equal(t, "http://hydra.example/oauth2/fallbacks/logout", p.LogoutURL().String())
+	assert.Equal(t, "http://hydra.example/oauth2/token", p.OAuth2TokenURL().String())
+	assert.Equal(t, "http://hydra.example/oauth2/auth", p.OAuth2AuthURL().String())
+	assert.Equal(t, "http://hydra.example/userinfo", p.OIDCDiscoveryUserinfoEndpoint().String())
+
+	p2 := MustNew(l)
+	p2.MustSet(KeyIssuerURL, "http://hydra.localhost")
+	assert.Equal(t, "http://hydra.localhost/", p2.IssuerURL().String())
+	assert.Equal(t, "http://hydra.localhost/", p2.PublicURL().String())
+	assert.Equal(t, "http://hydra.localhost/.well-known/jwks.json", p2.JWKSURL().String())
+	assert.Equal(t, "http://hydra.localhost/oauth2/fallbacks/consent", p2.ConsentURL().String())
+	assert.Equal(t, "http://hydra.localhost/oauth2/fallbacks/login", p2.LoginURL().String())
+	assert.Equal(t, "http://hydra.localhost/oauth2/fallbacks/logout", p2.LogoutURL().String())
+	assert.Equal(t, "http://hydra.localhost/oauth2/token", p2.OAuth2TokenURL().String())
+	assert.Equal(t, "http://hydra.localhost/oauth2/auth", p2.OAuth2AuthURL().String())
+	assert.Equal(t, "http://hydra.localhost/userinfo", p2.OIDCDiscoveryUserinfoEndpoint().String())
+}
+
 func TestProviderCookieSameSiteMode(t *testing.T) {
 	l := logrusx.New("", "")
 	l.Logrus().SetOutput(ioutil.Discard)