diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs index f25093f5a..25950a091 100644 --- a/src/nginxconfig.ejs +++ b/src/nginxconfig.ejs @@ -303,7 +303,7 @@ server { proxy_set_header Content-Length ""; } - location ~ ^/(login|logout|callback)$ { + location ~ ^/(logout|callback)$ { proxy_pass http://127.0.0.1:3001; } @@ -370,7 +370,7 @@ server { proxy_set_header Content-Length ""; } - location ~ ^/(login|logout)$ { + location ~ ^/(logout|callback)$ { proxy_pass http://127.0.0.1:3001; } @@ -381,7 +381,8 @@ server { if ($http_user_agent ~* "container") { return 401; } - return 302 /login?redirect=$request_uri; + + return 302 "https://<%= proxyAuth.oidcEndpoint %>/openid/auth?client_id=<%= proxyAuth.oidcClientId %>&scope=openid profile email&response_type=code&redirect_uri=https://<%= vhost %>/callback"; } location / { diff --git a/src/proxyauth.js b/src/proxyauth.js index f781c4bbe..aea35e495 100644 --- a/src/proxyauth.js +++ b/src/proxyauth.js @@ -12,6 +12,7 @@ const apps = require('./apps.js'), basicAuth = require('basic-auth'), blobs = require('./blobs.js'), constants = require('./constants.js'), + dashboard = require('./dashboard.js'), debug = require('debug')('box:proxyAuth'), express = require('express'), hat = require('./hat.js'), @@ -150,9 +151,12 @@ async function logout(req, res, next) { res.clearCookie('authToken'); + const oidcProviderFqdn = (await dashboard.getLocation()).fqdn; + const oidcLoginURI = `https://${oidcProviderFqdn}/openid/auth?client_id=${app.id}&scope=openid profile email&response_type=code&redirect_uri=https://${app.fqdn}/callback`; + // when we have no path, redirect to the login page. we cannot redirect to '/' because browsers will immediately serve up the cached page // if a path is set, we can assume '/' is a public page - res.redirect(302, app.manifest.addons.proxyAuth.path ? '/' : '/login'); + res.redirect(302, app.manifest.addons.proxyAuth.path ? '/' : oidcLoginURI); } // provides webhooks for the auth wall