Merge remote-tracking branch 'origin/master' into enhanced_logging

2019-02-26 08:27:06 -08:00 · 2019-02-26 08:27:06 -08:00 · 45742d326d
commit 45742d326d
parent 398f85c30f fb1614c873
4 changed files with 11 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -16,6 +16,8 @@
  - Implement two new flags to customize the logging format
    - `-standard-logging-format` Sets the format for standard logging
    - `-auth-logging-format` Sets the format for auth logging
+- [#68](https://github.com/pusher/oauth2_proxy/pull/68) forward X-Auth-Access-Token header (@davidholsgrove)
+

 # v3.1.0

--- a/README.md
+++ b/README.md
@ -220,6 +220,7 @@ Usage of oauth2_proxy:
  -logging-max-backups int: Maximum number of old log files to retain; 0 to disable (default 0)
  -logging-max-size int: Maximum size in megabytes of the log file before rotation (default 100)
  -login-url string: Authentication endpoint
+  -oidc-issuer-url: the OpenID Connect issuer URL. ie: "https://accounts.google.com"
  -pass-access-token: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
  -pass-authorization-header: pass OIDC IDToken to upstream via Authorization Bearer header
  -pass-basic-auth: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream (default true)
@ -478,6 +479,10 @@ server {
    proxy_set_header X-User  $user;
    proxy_set_header X-Email $email;

+    # if you enabled --pass-access-token, this will pass the token to the backend
+    auth_request_set $token  $upstream_http_x_auth_request_access_token;
+    proxy_set_header X-Access-Token $token;
+
    # if you enabled --cookie-refresh, this is needed for it to work with auth_request
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;
--- a/1
+++ b/1
@ -106,6 +106,7 @@ check_docker_version() {

 check_go_env() {
  echo -n "Checking \$GOPATH... "
+  GOPATH="$(go env GOPATH)"
  if [ -z "$GOPATH" ]; then
    printf "${RED}invalid${NC} - GOPATH not set\n"
    exit 1
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -887,6 +887,9 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 		if session.Email != "" {
 			rw.Header().Set("X-Auth-Request-Email", session.Email)
 		}
+		if p.PassAccessToken && session.AccessToken != "" {
+			rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
+		}
 	}
 	if p.PassAccessToken && session.AccessToken != "" {
 		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}