Allow to pass user headers only (issue #205)

* This fixes https://github.com/bitly/oauth2_proxy/issues/205
* Add new boolean option -pass-user-headers
  to control whether X-Forwarded-User and X-Forwarded-Email
  headers will be set (as opposed to HTTP BASIC auth)
* This is required e.g. for grafana [1] where
  X-Forwarded-User is needed but HTTP BASIC auth fails
  (password is not known and must not be known in this scenario)
* Keep behaviour of PassBasicAuth unchanged for compatibility

[1] http://docs.grafana.org/installation/configuration/#authproxy
This commit is contained in:
Omar Elazhary 2016-02-08 15:57:47 +00:00 committed by Jan Sievers
parent 89ba1d813a
commit 24f91a0b60
6 changed files with 14 additions and 0 deletions

View File

@ -187,6 +187,7 @@ Usage of oauth2_proxy:
-login-url="": Authentication endpoint -login-url="": Authentication endpoint
-pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header -pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream -pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
-pass-user-headers=true: pass X-Forwarded-User and X-Forwarded-Email information to upstream
-pass-host-header=true: pass the request Host Header to upstream -pass-host-header=true: pass the request Host Header to upstream
-profile-url="": Profile access endpoint -profile-url="": Profile access endpoint
-provider="google": OAuth provider -provider="google": OAuth provider

View File

@ -23,6 +23,7 @@
## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream ## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
# pass_basic_auth = true # pass_basic_auth = true
# pass_user_headers = true
## pass the request Host Header to upstream ## pass the request Host Header to upstream
## when disabled the upstream Host is used as the Host Header ## when disabled the upstream Host is used as the Host Header
# pass_host_header = true # pass_host_header = true

View File

@ -32,6 +32,7 @@ func main() {
flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"") flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path") flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream") flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream")
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header") flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")

View File

@ -60,6 +60,7 @@ type OAuthProxy struct {
serveMux http.Handler serveMux http.Handler
PassBasicAuth bool PassBasicAuth bool
SkipProviderButton bool SkipProviderButton bool
PassUserHeaders bool
BasicAuthPassword string BasicAuthPassword string
PassAccessToken bool PassAccessToken bool
CookieCipher *cookie.Cipher CookieCipher *cookie.Cipher
@ -194,6 +195,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
skipAuthRegex: opts.SkipAuthRegex, skipAuthRegex: opts.SkipAuthRegex,
compiledRegex: opts.CompiledRegex, compiledRegex: opts.CompiledRegex,
PassBasicAuth: opts.PassBasicAuth, PassBasicAuth: opts.PassBasicAuth,
PassUserHeaders: opts.PassUserHeaders,
BasicAuthPassword: opts.BasicAuthPassword, BasicAuthPassword: opts.BasicAuthPassword,
PassAccessToken: opts.PassAccessToken, PassAccessToken: opts.PassAccessToken,
SkipProviderButton: opts.SkipProviderButton, SkipProviderButton: opts.SkipProviderButton,
@ -602,6 +604,12 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
req.Header["X-Forwarded-Email"] = []string{session.Email} req.Header["X-Forwarded-Email"] = []string{session.Email}
} }
} }
if p.PassUserHeaders {
req.Header["X-Forwarded-User"] = []string{session.User}
if session.Email != "" {
req.Header["X-Forwarded-Email"] = []string{session.Email}
}
}
if p.PassAccessToken && session.AccessToken != "" { if p.PassAccessToken && session.AccessToken != "" {
req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken} req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
} }

View File

@ -156,6 +156,7 @@ func TestBasicAuthPassword(t *testing.T) {
opts.ClientSecret = "foobar" opts.ClientSecret = "foobar"
opts.CookieSecure = false opts.CookieSecure = false
opts.PassBasicAuth = true opts.PassBasicAuth = true
opts.PassUserHeaders = true
opts.BasicAuthPassword = "This is a secure password" opts.BasicAuthPassword = "This is a secure password"
opts.Validate() opts.Validate()

View File

@ -54,6 +54,7 @@ type Options struct {
PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"` PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"`
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"` PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"`
SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"` SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"`
PassUserHeaders bool `flag:"pass-user-headers" cfg:"pass_user_headers"`
// These options allow for other providers besides Google, with // These options allow for other providers besides Google, with
// potential overrides. // potential overrides.
@ -95,6 +96,7 @@ func NewOptions() *Options {
CookieExpire: time.Duration(168) * time.Hour, CookieExpire: time.Duration(168) * time.Hour,
CookieRefresh: time.Duration(0), CookieRefresh: time.Duration(0),
PassBasicAuth: true, PassBasicAuth: true,
PassUserHeaders: true,
PassAccessToken: false, PassAccessToken: false,
PassHostHeader: true, PassHostHeader: true,
SkipProviderButton: false, SkipProviderButton: false,