From 734d3c61db425de98a3e0dfc86cdb19715879fc0 Mon Sep 17 00:00:00 2001
From: Felix Bartels <1257835+fbartels@users.noreply.github.com>
Date: Fri, 1 May 2020 12:23:06 +0200
Subject: [PATCH] Check if external authority is correctly configured (#390)

* check if oidc provider is reachable

Relates to https://github.com/zokradonh/kopano-docker/issues/376

Signed-off-by: Felix Bartels <felix@host-consultants.de>

* compare issuer in the discovery document with the configured one

Signed-off-by: Felix Bartels <felix@host-consultants.de>
---
 konnect/wrapper.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/konnect/wrapper.sh b/konnect/wrapper.sh
index e61bcc1..df6d75c 100755
--- a/konnect/wrapper.sh
+++ b/konnect/wrapper.sh
@@ -100,6 +100,17 @@ if [ "${external_oidc_provider:-}" = "yes" ]; then
 	echo "Patching identifier registration for external OIDC provider"
 	echo "authorities: [{name: ${external_oidc_name:-}, default: yes, iss: ${external_oidc_url:-}, client_id: ${external_oidc_clientid:-}, client_secret: ${external_oidc_clientsecret:-}, authority_type: oidc, response_type: id_token, scopes: [openid, profile, email], trusted: yes, end_session_enabled: true}]" >> /tmp/authority.yml
 	yq -y -s '.[0] + .[1]' $CONFIG_JSON /tmp/authority.yml | sponge "$identifier_registration_conf"
+
+	echo "Checking if external OIDC provider is reachable"
+	dockerize \
+		-wait "$external_oidc_url"/.well-known/openid-configuration \
+		-timeout "$DOCKERIZE_TIMEOUT"
+
+	reported_issuer=$(curl -s "$external_oidc_url/.well-known/openid-configuration" | jq -r .issuer)
+	if [ -n "${external_oidc_url##$reported_issuer}" ] ;then
+		echo "Error: The Issuer does not match the configured url"
+		exit 1
+	fi
 fi
 
 # source additional configuration from Konnect cfg (potentially overwrites env vars)