From 4e1808632d0a8174127b07552180aedbc7a946de Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Thu, 29 Oct 2020 22:09:53 +0100 Subject: [PATCH] proxy: add support for additionalHeaders --- proxy/pkg/proxy/claims.go | 2 +- proxy/pkg/proxy/proxy.go | 27 ++++++++++++++++++--------- 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/proxy/pkg/proxy/claims.go b/proxy/pkg/proxy/claims.go index 66bc18b9b..760c60182 100644 --- a/proxy/pkg/proxy/claims.go +++ b/proxy/pkg/proxy/claims.go @@ -8,7 +8,7 @@ import ( type Claims struct { Proxy struct { - UserAttributes map[string]string `json:"user_attributes"` + UserAttributes map[string]interface{} `json:"user_attributes"` } `json:"pb_proxy"` } diff --git a/proxy/pkg/proxy/proxy.go b/proxy/pkg/proxy/proxy.go index 196e2c9eb..366c0a75e 100644 --- a/proxy/pkg/proxy/proxy.go +++ b/proxy/pkg/proxy/proxy.go @@ -413,27 +413,36 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req req.Header.Del("X-Auth-Username") } + claims := Claims{} + err := claims.FromIDToken(session.IDToken) + if err != nil { + log.WithError(err).Warning("Failed to parse IDToken") + } + userAttributes := claims.Proxy.UserAttributes + // Attempt to set basic auth based on user's attributes if p.SetBasicAuth { - claims := Claims{} - err := claims.FromIDToken(session.IDToken) - if err != nil { - log.WithError(err).Warning("Failed to parse IDToken") - } - - userAttributes := claims.Proxy.UserAttributes var ok bool var password string - if password, ok = userAttributes[p.BasicAuthPasswordAttribute]; !ok { + if password, ok = userAttributes[p.BasicAuthPasswordAttribute].(string); !ok { password = "" } // Check if we should use email or a custom attribute as username var username string - if username, ok = userAttributes[p.BasicAuthUserAttribute]; !ok { + if username, ok = userAttributes[p.BasicAuthUserAttribute].(string); !ok { username = session.Email } authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password)) req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)} } + // Check if user has additional headers set that we should sent + if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok { + if additionalHeaders == nil { + return + } + for key, value := range additionalHeaders { + req.Header.Set(key, value) + } + } } // stripAuthHeaders removes Auth headers for whitelisted routes from skipAuthRegex