From 97d44d3d2fa5aaa3229dfc080c1185234b6e7fcd Mon Sep 17 00:00:00 2001
From: Rik Veenboer <rik.veenboer@gmail.com>
Date: Thu, 5 Dec 2024 14:35:31 +0100
Subject: [PATCH] seperate proxy for rewriting openid config

---
 authentik/proxy/Dockerfile   |  6 ++++++
 authentik/proxy/app.py       | 24 ++++++++++++++++++++++++
 caddy/conf/auth.caddy        |  2 +-
 caddy/sites/test.caddy       |  2 +-
 docker-compose.authentik.yml | 13 +++++++++++++
 5 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 authentik/proxy/Dockerfile
 create mode 100644 authentik/proxy/app.py

diff --git a/authentik/proxy/Dockerfile b/authentik/proxy/Dockerfile
new file mode 100644
index 0000000..06ddd7c
--- /dev/null
+++ b/authentik/proxy/Dockerfile
@@ -0,0 +1,6 @@
+FROM python:3.12-slim
+WORKDIR /app
+RUN pip install --no-cache-dir flask gunicorn requests
+COPY app.py .
+EXPOSE 5000
+CMD ["gunicorn", "-w", "1", "-b", "0.0.0.0:5000", "app:app"]
diff --git a/authentik/proxy/app.py b/authentik/proxy/app.py
new file mode 100644
index 0000000..833fb84
--- /dev/null
+++ b/authentik/proxy/app.py
@@ -0,0 +1,24 @@
+import os
+import requests
+from flask import Flask, jsonify, request
+
+app = Flask(__name__)
+
+@app.route("/headers")
+def headers():
+    return jsonify(dict(request.headers))
+
+@app.route("/<provider>/.well-known/openid-configuration",)
+def openid(provider):
+    internal = os.environ.get('INTERNAL')
+    external = os.environ.get('EXTERNAL')
+    url = f'/application/o/{provider}/.well-known/openid-configuration'
+    response = requests.get(f'{internal}/{url}')
+    return jsonify({
+        k: v.replace(internal, external)
+            if isinstance(v, str) and (k != 'jwks_uri') else v
+            for k, v in response.json().items()
+        })
+
+if __name__ == '__main__':
+    app.run(host='0.0.0.0', port=5000)
diff --git a/caddy/conf/auth.caddy b/caddy/conf/auth.caddy
index 09be7d5..4806a88 100644
--- a/caddy/conf/auth.caddy
+++ b/caddy/conf/auth.caddy
@@ -10,7 +10,7 @@
 			scopes openid email profile
 
 			base_auth_url https://authentik.rik.veenboer.xyz
-			metadata_url http://host:12345/.well-known
+			metadata_url http://192.168.2.200:15000/caddy/.well-known/openid-configuration
 		}
 		authentication portal myportal {
 			enable identity provider generic
diff --git a/caddy/sites/test.caddy b/caddy/sites/test.caddy
index 35f7acc..d8739b3 100644
--- a/caddy/sites/test.caddy
+++ b/caddy/sites/test.caddy
@@ -4,7 +4,7 @@ test.rik.veenboer.xyz {
 	}
 
 	authorize with mypolicy
-	reverse_proxy host:12345
+	reverse_proxy host:15000
 }
 
 auth.rik.veenboer.xyz {
diff --git a/docker-compose.authentik.yml b/docker-compose.authentik.yml
index 1b8b16d..7e2d62b 100644
--- a/docker-compose.authentik.yml
+++ b/docker-compose.authentik.yml
@@ -75,3 +75,16 @@ services:
     depends_on:
       - authentik-postgresql
       - authentik-redis
+
+  authentik-proxy:
+    image: authentik-proxy
+    container_name: authentik-proxy
+    ports:
+      - "15000:5000"
+    environment:
+      INTERNAL: http://host:19000
+      EXTERNAL: https://authentik.rik.veenboer.xyz
+    build:
+      context: /opt/authentik/proxy
+    extra_hosts:
+      - host:192.168.2.200