Custom Authentication Prefix

- Adding the ability to change the prefix of the authentication headers prefix passed to upstream endpoint

config.go

@@ -28,6 +28,7 @@ import (
 func newDefaultConfig() *Config {
 	return &Config{
 		AccessTokenDuration:         time.Duration(720) * time.Hour,
+		AuthHeaderPrefix:            "X-Auth-",
 		CookieAccessName:            "kc-access",
 		CookieRefreshName:           "kc-state",
 		EnableAuthorizationHeader:   true,

doc.go

@@ -136,6 +136,8 @@ type Config struct {
 	Resources []*Resource `json:"resources" yaml:"resources" usage:"list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'"`
 	// Headers permits adding customs headers across the board
 	Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"`
+	// AuthHeaderPrefix is the authentication headers passed through to upstream endpoint
+	AuthHeaderPrefix string `json:"auth-header-prefix" yaml:"auth-header-prefix" usage:"the prefix added the authentication headers"`
 
 	// EnableEncryptedToken indicates the access token should be encoded
 	EnableEncryptedToken bool `json:"enable-encrypted-token" yaml:"enable-encrypted-token" usage:"enable encryption for the access tokens"`

middleware.go

@@ -23,8 +23,9 @@ import (
 	"strings"
 	"time"
 
-	"github.com/PuerkitoBio/purell"
 	"github.com/gambol99/go-oidc/jose"
+
+	"github.com/PuerkitoBio/purell"
 	"github.com/go-chi/chi/middleware"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/unrolled/secure"
@@ -334,17 +335,17 @@ func (r *oauthProxy) headersMiddleware(custom []string) func(http.Handler) http.
 			scope := req.Context().Value(contextScopeName).(*RequestScope)
 			if scope.Identity != nil {
 				user := scope.Identity
-				req.Header.Set("X-Auth-Email", user.email)
-				req.Header.Set("X-Auth-ExpiresIn", user.expiresAt.String())
-				req.Header.Set("X-Auth-Groups", strings.Join(user.groups, ","))
-				req.Header.Set("X-Auth-Roles", strings.Join(user.roles, ","))
-				req.Header.Set("X-Auth-Subject", user.id)
-				req.Header.Set("X-Auth-Userid", user.name)
-				req.Header.Set("X-Auth-Username", user.name)
+				req.Header.Set(fmt.Sprintf("%sEmail", r.config.AuthHeaderPrefix), user.email)
+				req.Header.Set(fmt.Sprintf("%sExpiresIn", r.config.AuthHeaderPrefix), user.expiresAt.String())
+				req.Header.Set(fmt.Sprintf("%sGroups", r.config.AuthHeaderPrefix), strings.Join(user.groups, ","))
+				req.Header.Set(fmt.Sprintf("%sRoles", r.config.AuthHeaderPrefix), strings.Join(user.roles, ","))
+				req.Header.Set(fmt.Sprintf("%sSubject", r.config.AuthHeaderPrefix), user.id)
+				req.Header.Set(fmt.Sprintf("%sUserid", r.config.AuthHeaderPrefix), user.name)
+				req.Header.Set(fmt.Sprintf("%sUsername", r.config.AuthHeaderPrefix), user.name)
 
 				// should we add the token header?
 				if r.config.EnableTokenHeader {
-					req.Header.Set("X-Auth-Token", user.token.Encode())
+					req.Header.Set(fmt.Sprintf("%sToken", r.config.AuthHeaderPrefix), user.token.Encode())
 				}
 				// add the authorization header if requested
 				if r.config.EnableAuthorizationHeader {

server_test.go

@@ -398,6 +398,7 @@ func newFakeHTTPRequest(method, path string) *http.Request {
 
 func newFakeKeycloakConfig() *Config {
 	return &Config{
+		AuthHeaderPrefix:           "X-Auth-",
 		ClientID:                   fakeClientID,
 		ClientSecret:               fakeSecret,
 		CookieAccessName:           "kc-access",