From 2280b42f59036adb55083374fe86f904074f2d32 Mon Sep 17 00:00:00 2001
From: David Holsgrove <davidholsgrove@users.noreply.github.com>
Date: Fri, 22 Feb 2019 17:49:57 +1000
Subject: [PATCH] Access token forwarding through nginx auth request (#68)

* Access token forwarding through nginx auth request

Related to #420.

(cherry picked from commit b138872beaaa7f47d43a1c0fef11a67f57e61eff)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Improved documentation for auth request token

(cherry picked from commit 6fab314f7203f4d652bb34247abb4e7cb497c41d)
Signed-off-by: David Holsgrove <david.holsgrove@biarri.com>

* Update README.md

Example should set header as `X-Access-Token`

Co-Authored-By: davidholsgrove <davidholsgrove@users.noreply.github.com>

* Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68

* Fix Changelog message location
---
 CHANGELOG.md  | 2 ++
 README.md     | 4 ++++
 oauthproxy.go | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b72f7c1..d98b209 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,8 @@
 
 ## Changes since v3.1.0
 
+- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
+
 # v3.1.0
 
 ## Release highlights
diff --git a/README.md b/README.md
index 522b766..db39635 100644
--- a/README.md
+++ b/README.md
@@ -425,6 +425,10 @@ server {
     proxy_set_header X-User  $user;
     proxy_set_header X-Email $email;
 
+    # if you enabled --pass-access-token, this will pass the token to the backend
+    auth_request_set $token  $upstream_http_x_auth_request_access_token;
+    proxy_set_header X-Access-Token $token;
+
     # if you enabled --cookie-refresh, this is needed for it to work with auth_request
     auth_request_set $auth_cookie $upstream_http_set_cookie;
     add_header Set-Cookie $auth_cookie;
diff --git a/oauthproxy.go b/oauthproxy.go
index ab70686..68b1522 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -880,6 +880,9 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 		if session.Email != "" {
 			rw.Header().Set("X-Auth-Request-Email", session.Email)
 		}
+		if p.PassAccessToken && session.AccessToken != "" {
+			rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
+		}
 	}
 	if p.PassAccessToken && session.AccessToken != "" {
 		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}