From 92d99e12be573089f0be38aa5b56535a5392047b Mon Sep 17 00:00:00 2001 From: Rohith <gambol99@gmail.com> Date: Tue, 16 Jan 2018 18:14:39 +0000 Subject: [PATCH] Custom Authentication Prefix - Adding the ability to change the prefix of the authentication headers prefix passed to upstream endpoint --- config.go | 1 + doc.go | 2 ++ middleware.go | 19 ++++++++++--------- server_test.go | 1 + 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/config.go b/config.go index d55e318..d220cfd 100644 --- a/config.go +++ b/config.go @@ -28,6 +28,7 @@ import ( func newDefaultConfig() *Config { return &Config{ AccessTokenDuration: time.Duration(720) * time.Hour, + AuthHeaderPrefix: "X-Auth-", CookieAccessName: "kc-access", CookieRefreshName: "kc-state", EnableAuthorizationHeader: true, diff --git a/doc.go b/doc.go index 868ef70..1d7c548 100644 --- a/doc.go +++ b/doc.go @@ -136,6 +136,8 @@ type Config struct { Resources []*Resource `json:"resources" yaml:"resources" usage:"list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'"` // Headers permits adding customs headers across the board Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"` + // AuthHeaderPrefix is the authentication headers passed through to upstream endpoint + AuthHeaderPrefix string `json:"auth-header-prefix" yaml:"auth-header-prefix" usage:"the prefix added the authentication headers"` // EnableEncryptedToken indicates the access token should be encoded EnableEncryptedToken bool `json:"enable-encrypted-token" yaml:"enable-encrypted-token" usage:"enable encryption for the access tokens"` diff --git a/middleware.go b/middleware.go index e39c1b6..3787318 100644 --- a/middleware.go +++ b/middleware.go @@ -23,8 +23,9 @@ import ( "strings" "time" - "github.com/PuerkitoBio/purell" "github.com/gambol99/go-oidc/jose" + + "github.com/PuerkitoBio/purell" "github.com/go-chi/chi/middleware" "github.com/prometheus/client_golang/prometheus" "github.com/unrolled/secure" @@ -334,17 +335,17 @@ func (r *oauthProxy) headersMiddleware(custom []string) func(http.Handler) http. scope := req.Context().Value(contextScopeName).(*RequestScope) if scope.Identity != nil { user := scope.Identity - req.Header.Set("X-Auth-Email", user.email) - req.Header.Set("X-Auth-ExpiresIn", user.expiresAt.String()) - req.Header.Set("X-Auth-Groups", strings.Join(user.groups, ",")) - req.Header.Set("X-Auth-Roles", strings.Join(user.roles, ",")) - req.Header.Set("X-Auth-Subject", user.id) - req.Header.Set("X-Auth-Userid", user.name) - req.Header.Set("X-Auth-Username", user.name) + req.Header.Set(fmt.Sprintf("%sEmail", r.config.AuthHeaderPrefix), user.email) + req.Header.Set(fmt.Sprintf("%sExpiresIn", r.config.AuthHeaderPrefix), user.expiresAt.String()) + req.Header.Set(fmt.Sprintf("%sGroups", r.config.AuthHeaderPrefix), strings.Join(user.groups, ",")) + req.Header.Set(fmt.Sprintf("%sRoles", r.config.AuthHeaderPrefix), strings.Join(user.roles, ",")) + req.Header.Set(fmt.Sprintf("%sSubject", r.config.AuthHeaderPrefix), user.id) + req.Header.Set(fmt.Sprintf("%sUserid", r.config.AuthHeaderPrefix), user.name) + req.Header.Set(fmt.Sprintf("%sUsername", r.config.AuthHeaderPrefix), user.name) // should we add the token header? if r.config.EnableTokenHeader { - req.Header.Set("X-Auth-Token", user.token.Encode()) + req.Header.Set(fmt.Sprintf("%sToken", r.config.AuthHeaderPrefix), user.token.Encode()) } // add the authorization header if requested if r.config.EnableAuthorizationHeader { diff --git a/server_test.go b/server_test.go index 584df41..22a4bb3 100644 --- a/server_test.go +++ b/server_test.go @@ -398,6 +398,7 @@ func newFakeHTTPRequest(method, path string) *http.Request { func newFakeKeycloakConfig() *Config { return &Config{ + AuthHeaderPrefix: "X-Auth-", ClientID: fakeClientID, ClientSecret: fakeSecret, CookieAccessName: "kc-access", -- GitLab