proxy: add support for additionalHeaders
This commit is contained in:
parent
791627d3ce
commit
4e1808632d
|
@ -8,7 +8,7 @@ import (
|
||||||
|
|
||||||
type Claims struct {
|
type Claims struct {
|
||||||
Proxy struct {
|
Proxy struct {
|
||||||
UserAttributes map[string]string `json:"user_attributes"`
|
UserAttributes map[string]interface{} `json:"user_attributes"`
|
||||||
} `json:"pb_proxy"`
|
} `json:"pb_proxy"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -413,27 +413,36 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
|
||||||
req.Header.Del("X-Auth-Username")
|
req.Header.Del("X-Auth-Username")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
claims := Claims{}
|
||||||
|
err := claims.FromIDToken(session.IDToken)
|
||||||
|
if err != nil {
|
||||||
|
log.WithError(err).Warning("Failed to parse IDToken")
|
||||||
|
}
|
||||||
|
userAttributes := claims.Proxy.UserAttributes
|
||||||
|
// Attempt to set basic auth based on user's attributes
|
||||||
if p.SetBasicAuth {
|
if p.SetBasicAuth {
|
||||||
claims := Claims{}
|
|
||||||
err := claims.FromIDToken(session.IDToken)
|
|
||||||
if err != nil {
|
|
||||||
log.WithError(err).Warning("Failed to parse IDToken")
|
|
||||||
}
|
|
||||||
|
|
||||||
userAttributes := claims.Proxy.UserAttributes
|
|
||||||
var ok bool
|
var ok bool
|
||||||
var password string
|
var password string
|
||||||
if password, ok = userAttributes[p.BasicAuthPasswordAttribute]; !ok {
|
if password, ok = userAttributes[p.BasicAuthPasswordAttribute].(string); !ok {
|
||||||
password = ""
|
password = ""
|
||||||
}
|
}
|
||||||
// Check if we should use email or a custom attribute as username
|
// Check if we should use email or a custom attribute as username
|
||||||
var username string
|
var username string
|
||||||
if username, ok = userAttributes[p.BasicAuthUserAttribute]; !ok {
|
if username, ok = userAttributes[p.BasicAuthUserAttribute].(string); !ok {
|
||||||
username = session.Email
|
username = session.Email
|
||||||
}
|
}
|
||||||
authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
|
authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
|
||||||
req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
|
req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
|
||||||
}
|
}
|
||||||
|
// Check if user has additional headers set that we should sent
|
||||||
|
if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok {
|
||||||
|
if additionalHeaders == nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
for key, value := range additionalHeaders {
|
||||||
|
req.Header.Set(key, value)
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// stripAuthHeaders removes Auth headers for whitelisted routes from skipAuthRegex
|
// stripAuthHeaders removes Auth headers for whitelisted routes from skipAuthRegex
|
||||||
|
|
Reference in a new issue