From 2280b42f59036adb55083374fe86f904074f2d32 Mon Sep 17 00:00:00 2001 From: David Holsgrove Date: Fri, 22 Feb 2019 17:49:57 +1000 Subject: [PATCH] Access token forwarding through nginx auth request (#68) * Access token forwarding through nginx auth request Related to #420. (cherry picked from commit b138872beaaa7f47d43a1c0fef11a67f57e61eff) Signed-off-by: David Holsgrove * Improved documentation for auth request token (cherry picked from commit 6fab314f7203f4d652bb34247abb4e7cb497c41d) Signed-off-by: David Holsgrove * Update README.md Example should set header as `X-Access-Token` Co-Authored-By: davidholsgrove * Update Changelog to reference https://github.com/pusher/oauth2_proxy/pull/68 * Fix Changelog message location --- CHANGELOG.md | 2 ++ README.md | 4 ++++ oauthproxy.go | 3 +++ 3 files changed, 9 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index b72f7c1..d98b209 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## Changes since v3.1.0 +- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove) + # v3.1.0 ## Release highlights diff --git a/README.md b/README.md index 522b766..db39635 100644 --- a/README.md +++ b/README.md @@ -425,6 +425,10 @@ server { proxy_set_header X-User $user; proxy_set_header X-Email $email; + # if you enabled --pass-access-token, this will pass the token to the backend + auth_request_set $token $upstream_http_x_auth_request_access_token; + proxy_set_header X-Access-Token $token; + # if you enabled --cookie-refresh, this is needed for it to work with auth_request auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; diff --git a/oauthproxy.go b/oauthproxy.go index ab70686..68b1522 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -880,6 +880,9 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int if session.Email != "" { rw.Header().Set("X-Auth-Request-Email", session.Email) } + if p.PassAccessToken && session.AccessToken != "" { + rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken) + } } if p.PassAccessToken && session.AccessToken != "" { req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}