set entire org url rather than just org name

buzzfeed · Apr 23, 2019 · a25d57f · a25d57f
1 parent 1e46141
commit a25d57f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 14 deletions.
diff --git a/internal/auth/options.go b/internal/auth/options.go
@@ -71,7 +71,7 @@ type Options struct {
 	GoogleAdminEmail         string `envconfig:"GOOGLE_ADMIN_EMAIL"`
 	GoogleServiceAccountJSON string `envconfig:"GOOGLE_SERVICE_ACCOUNT_JSON"`
 
-	OrgName string `envconfig:"OKTA_ORG_NAME"`
+	OrgURL string `envconfig:"OKTA_ORG_URL"`
 
 	Footer string `envconfig:"FOOTER"`
 
@@ -180,8 +180,8 @@ func (o *Options) Validate() error {
 		msgs = append(msgs, "missing setting: required-host-header")
 	}
 
-	if len(o.OrgName) > 0 {
-		o.OrgName = strings.Trim(o.OrgName, `"`)
+	if len(o.OrgURL) > 0 {
+		o.OrgURL = strings.Trim(o.OrgURL, `"`)
 	}
 	if len(o.ProviderServerID) > 0 {
 		o.ProviderServerID = strings.Trim(o.ProviderServerID, `"`)
@@ -297,7 +297,7 @@ func newProvider(o *Options) (providers.Provider, error) {
 		o.GroupsCacheStopFunc = cache.Stop
 		singleFlightProvider = providers.NewSingleFlightProvider(googleProvider)
 	case providers.OktaProviderName:
-		oktaProvider, err := providers.NewOktaProvider(p, o.OrgName, o.ProviderServerID)
+		oktaProvider, err := providers.NewOktaProvider(p, o.OrgURL, o.ProviderServerID)
 		if err != nil {
 			return nil, err
 		}

diff --git a/internal/auth/providers/okta.go b/internal/auth/providers/okta.go
@@ -31,10 +31,10 @@ type GetUserProfileResponse struct {
 }
 
 // NewOktaProvider returns a new OktaProvider and sets the provider url endpoints.
-func NewOktaProvider(p *ProviderData, orgName, providerServerID string) (*OktaProvider, error) {
-	if orgName != "" || providerServerID != "" {
-		if orgName == "" {
-			return nil, errors.New("missing setting: org_name")
+func NewOktaProvider(p *ProviderData, OrgURL, providerServerID string) (*OktaProvider, error) {
+	if OrgURL != "" || providerServerID != "" {
+		if OrgURL == "" {
+			return nil, errors.New("missing setting: okta_org_url")
 		}
 		if providerServerID == "" {
 			return nil, errors.New("missing setting: provider_server_id")
@@ -43,41 +43,40 @@ func NewOktaProvider(p *ProviderData, orgName, providerServerID string) (*OktaPr
 
 	p.ProviderName = "Okta"
 	scheme := "https"
-	host := fmt.Sprintf("%s.okta.com", orgName)
 	// interact with resource owner and obtain an authorization grant
 	if p.SignInURL.String() == "" {
 		p.SignInURL = &url.URL{
 			Scheme: scheme,
-			Host:   host,
+			Host:   OrgURL,
 			Path:   fmt.Sprintf("/oauth2/%s/v1/authorize", providerServerID)}
 		// to get a refresh token. see https://developer.okta.com/authentication-guide/tokens/refreshing-tokens/
 	}
 	// returns access tokens, ID tokens or refresh tokens
 	if p.RedeemURL.String() == "" {
 		p.RedeemURL = &url.URL{
 			Scheme: scheme,
-			Host:   host,
+			Host:   OrgURL,
 			Path:   fmt.Sprintf("/oauth2/%s/v1/token", providerServerID)}
 	}
 	// revokes an access or refresh token
 	if p.RevokeURL.String() == "" {
 		p.RevokeURL = &url.URL{
 			Scheme: scheme,
-			Host:   host,
+			Host:   OrgURL,
 			Path:   fmt.Sprintf("/oauth2/%s/v1/revoke", providerServerID)}
 	}
 	// takes an access token and returns claims for the currently logged-in user
 	if p.ProfileURL.String() == "" {
 		p.ProfileURL = &url.URL{
 			Scheme: scheme,
-			Host:   host,
+			Host:   OrgURL,
 			Path:   fmt.Sprintf("/oauth2/%s/v1/userinfo", providerServerID)}
 	}
 	// takes token as a URL query and returns active/inactive, and further info if active.
 	if p.ValidateURL.String() == "" {
 		p.ValidateURL = &url.URL{
 			Scheme: scheme,
-			Host:   host,
+			Host:   OrgURL,
 			Path:   fmt.Sprintf("/oauth2/%s/v1/introspect", providerServerID)}
 	}
 	if p.Scope == "" {