diff --git a/.env.sample b/.env.sample index 1dce7295..9d4882d9 100644 --- a/.env.sample +++ b/.env.sample @@ -108,10 +108,6 @@ HYDRA_ADMIN_URL=http://hydra:4445 # Oathkeeper가 /oidc 경로를 Hydra Public API로 라우팅합니다. HYDRA_PUBLIC_URL=${OATHKEEPER_PUBLIC_URL}/oidc -# OIDC 클라이언트 callback (콤마 구분) -ADMINFRONT_CALLBACK_URLS=http://localhost:5173/auth/callback,https://sso.hmac.kr/auth/callback -DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback,https://sso.hmac.kr/devfront/auth/callback - # Kratos allowed_return_urls 확장 목록 (콤마 구분, 선택) # 기본값은 KRATOS_UI_URL, USERFRONT_URL, 각 callback URL을 자동 포함합니다. KRATOS_ALLOWED_RETURN_URLS_EXTRA=[] @@ -134,9 +130,11 @@ CSRF_COOKIE_NAME=__HOST-baronSSO_csrf CSRF_COOKIE_SECRET=localcsrf123 # AdminFront OIDC 설정 +ADMINFRONT_URL=http://localhost:5173 ADMINFRONT_CALLBACK_URLS=http://localhost:5173/auth/callback,https://sso.hmac.kr/auth/callback # DevFront OIDC 설정 VITE_OIDC_CLIENT_ID=devfront VITE_OIDC_AUTHORITY=https://sso.hmac.kr/oidc -DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback,https://sso.hmac.kr/devfront/auth/callback \ No newline at end of file +DEVFRONT_URL=http://localhost:5174 +DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback,https://sso.hmac.kr/devfront/auth/callback diff --git a/.gitea/workflows/staging_code_pull.yml b/.gitea/workflows/staging_code_pull.yml index fab15b99..1e0f7d6c 100644 --- a/.gitea/workflows/staging_code_pull.yml +++ b/.gitea/workflows/staging_code_pull.yml @@ -120,6 +120,8 @@ jobs: # Frontend OIDC configs for Staging VITE_OIDC_AUTHORITY=https://sso.hmac.kr/oidc + ADMINFRONT_URL=http://172.16.10.176:5173 + DEVFRONT_URL=http://172.16.10.176:5174 ADMINFRONT_CALLBACK_URLS=http://localhost:5173/auth/callback,https://sso.hmac.kr/auth/callback,http://172.16.10.176:5173/auth/callback,https://sadmin.hmac.kr/auth/callback DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback,https://sso.hmac.kr/devfront/auth/callback,http://172.16.10.176:5174/auth/callback,https://sdev.hmac.kr/auth/callback # OATHKEEPER_INTROSPECT_CLIENT_ID=${{ vars.OATHKEEPER_INTROSPECT_CLIENT_ID }} diff --git a/backend/internal/handler/auth_handler.go b/backend/internal/handler/auth_handler.go index b946b94b..3fabec6e 100644 --- a/backend/internal/handler/auth_handler.go +++ b/backend/internal/handler/auth_handler.go @@ -3388,13 +3388,11 @@ func (h *AuthHandler) ListLinkedRps(c *fiber.Ctx) error { name = clientID } - // ClientURI가 없으면 RedirectURIs에서 호스트 부분만 추출하여 URL로 사용 (Fallback) - clientURL := strings.TrimSpace(client.ClientURI) - if clientURL == "" && len(client.RedirectURIs) > 0 { - if parsed, err := url.Parse(client.RedirectURIs[0]); err == nil { - clientURL = fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host) - } - } + clientURL := resolveLinkedRPURL( + client.ClientID, + client.ClientURI, + client.RedirectURIs, + ) lastAuth := time.Time{} if session.AuthenticatedAt != nil { @@ -3484,12 +3482,11 @@ func (h *AuthHandler) ListLinkedRps(c *fiber.Ctx) error { name = client.ClientID } - clientURL := strings.TrimSpace(client.ClientURI) - if clientURL == "" && len(client.RedirectURIs) > 0 { - if parsed, err := url.Parse(client.RedirectURIs[0]); err == nil { - clientURL = fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host) - } - } + clientURL := resolveLinkedRPURL( + client.ClientID, + client.ClientURI, + client.RedirectURIs, + ) records[dc.ClientID] = &linkedRpRecord{ linkedRpSummary: linkedRpSummary{ @@ -5423,6 +5420,32 @@ func extractHydraClientLogo(metadata map[string]interface{}) string { return "" } +func resolveLinkedRPURL(clientID string, clientURI string, redirectURIs []string) string { + switch strings.TrimSpace(clientID) { + case "adminfront": + if value := strings.TrimSpace(os.Getenv("ADMINFRONT_URL")); value != "" { + return value + } + case "devfront": + if value := strings.TrimSpace(os.Getenv("DEVFRONT_URL")); value != "" { + return value + } + } + + clientURL := strings.TrimSpace(clientURI) + if clientURL != "" { + return clientURL + } + + if len(redirectURIs) > 0 { + if parsed, err := url.Parse(redirectURIs[0]); err == nil { + return fmt.Sprintf("%s://%s", parsed.Scheme, parsed.Host) + } + } + + return "" +} + func mergeScopes(current []string, next []string) []string { if len(next) == 0 { return current diff --git a/scripts/auth_config.sh b/scripts/auth_config.sh index 0a9f3bee..4a4d4bae 100755 --- a/scripts/auth_config.sh +++ b/scripts/auth_config.sh @@ -17,8 +17,10 @@ USERFRONT_URL="${USERFRONT_URL:-http://localhost:5000}" OATHKEEPER_PUBLIC_URL="${OATHKEEPER_PUBLIC_URL:-$USERFRONT_URL}" HYDRA_PUBLIC_URL="${HYDRA_PUBLIC_URL:-${OATHKEEPER_PUBLIC_URL%/}/oidc}" KRATOS_UI_URL="${KRATOS_UI_URL:-http://localhost:5000}" -ADMINFRONT_CALLBACK_URLS="${ADMINFRONT_CALLBACK_URLS:-http://localhost:5173/auth/callback}" -DEVFRONT_CALLBACK_URLS="${DEVFRONT_CALLBACK_URLS:-http://localhost:5174/callback}" +ADMINFRONT_URL="${ADMINFRONT_URL:-http://172.16.10.176:5173}" +DEVFRONT_URL="${DEVFRONT_URL:-http://172.16.10.176:5174}" +ADMINFRONT_CALLBACK_URLS="${ADMINFRONT_CALLBACK_URLS:-http://172.16.10.176:5173/auth/callback}" +DEVFRONT_CALLBACK_URLS="${DEVFRONT_CALLBACK_URLS:-http://172.16.10.176:5174/auth/callback}" KRATOS_ALLOWED_RETURN_URLS_EXTRA="${KRATOS_ALLOWED_RETURN_URLS_EXTRA:-}" declare -a WARNINGS=() @@ -382,12 +384,21 @@ run_validation() { validate_dotenv_line_safety "HYDRA_PUBLIC_URL" validate_dotenv_line_safety "KRATOS_BROWSER_URL" validate_dotenv_line_safety "KRATOS_UI_URL" + validate_dotenv_line_safety "ADMINFRONT_URL" + validate_dotenv_line_safety "DEVFRONT_URL" validate_dotenv_line_safety "ADMINFRONT_CALLBACK_URLS" validate_dotenv_line_safety "DEVFRONT_CALLBACK_URLS" + if [[ -n "$ADMINFRONT_URL" ]]; then + validate_urls "ADMINFRONT_URL" "$ADMINFRONT_URL" + fi + if [[ -n "$DEVFRONT_URL" ]]; then + validate_urls "DEVFRONT_URL" "$DEVFRONT_URL" + fi + collect_values validate_callback_group "ADMINFRONT_CALLBACK_URLS" "/auth/callback" "${ADMIN_CALLBACKS[@]}" - validate_callback_group "DEVFRONT_CALLBACK_URLS" "/callback" "${DEV_CALLBACKS[@]}" + validate_callback_group "DEVFRONT_CALLBACK_URLS" "/auth/callback" "${DEV_CALLBACKS[@]}" validate_gateway_mapping build_allowed_return_urls }