Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

KEYCLOAK-12731 Add option 'UseAuthorizationHeader' to disable reading token from Authorization header #499

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions config.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ func newDefaultConfig() *Config {
ClientAuthMethod: authMethodBasic,
CookieAccessName: accessCookie,
CookieRefreshName: refreshCookie,
UseAuthorizationHeader: true,
EnableAuthorizationCookies: true,
EnableAuthorizationHeader: true,
EnableDefaultDeny: true,
Expand Down
3 changes: 3 additions & 0 deletions doc.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,9 @@ type Config struct {
// ResponseHeader is a map of response headers to add to the response
ResponseHeaders map[string]string `json:"response-headers" yaml:"response-headers" usage:"custom headers to added to the http response key=value"`

// UseAuthorizationHeader indicates if we should read the token from the Authorization header
UseAuthorizationHeader bool `json:"use-authorization-header" yaml:"use-authorization-header" usage:"indicates if we should read token from Authorization header" env:"USE_AUTHORIZATION_HEADER"`

// EnableSelfSignedTLS indicates we should create a self-signed ceritificate for the service
EnabledSelfSignedTLS bool `json:"enable-self-signed-tls" yaml:"enable-self-signed-tls" usage:"create self signed certificates for the proxy" env:"ENABLE_SELF_SIGNED_TLS"`
// SelfSignedTLSHostnames is the list of hostnames to place on the certificate
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,5 @@ require (
gopkg.in/resty.v1 v1.10.3
gopkg.in/yaml.v2 v2.2.2
)

go 1.13
1 change: 1 addition & 0 deletions server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -447,6 +447,7 @@ func newFakeKeycloakConfig() *Config {
CookieRefreshName: "kc-state",
DisableAllLogging: true,
DiscoveryURL: "127.0.0.1:0",
UseAuthorizationHeader: true,
EnableAuthorizationCookies: true,
EnableAuthorizationHeader: true,
EnableLogging: false,
Expand Down
39 changes: 26 additions & 13 deletions session.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ import (
func (r *oauthProxy) getIdentity(req *http.Request) (*userContext, error) {
var isBearer bool
// step: check for a bearer token or cookie with jwt token
access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName)
access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName, r.config.UseAuthorizationHeader)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -69,21 +69,34 @@ func (r *oauthProxy) getRefreshTokenFromCookie(req *http.Request) (string, error
}

// getTokenInRequest returns the access token from the http request
func getTokenInRequest(req *http.Request, name string) (string, bool, error) {
bearer := true
// step: check for a token in the authorization header
token, err := getTokenInBearer(req)
if err != nil {
if err != ErrSessionNotFound {
return "", false, err
}
if token, err = getTokenInCookie(req, name); err != nil {
return token, false, err
func getTokenInRequest(req *http.Request, name string, useAuthorizationHeader bool) (string, bool, error) {
if useAuthorizationHeader {
phxql marked this conversation as resolved.
Show resolved Hide resolved
// step: check for a token in the authorization header
bearer := true
token, err := getTokenInBearer(req)
phxql marked this conversation as resolved.
Show resolved Hide resolved

if err != nil {
phxql marked this conversation as resolved.
Show resolved Hide resolved
bearer = false

if err != ErrSessionNotFound {
phxql marked this conversation as resolved.
Show resolved Hide resolved
return "", bearer, err
}

if token, err = getTokenInCookie(req, name); err != nil {
phxql marked this conversation as resolved.
Show resolved Hide resolved
return token, bearer, err
}
}
bearer = false

return token, bearer, nil
phxql marked this conversation as resolved.
Show resolved Hide resolved
}

// step: check for a token in cookie
token, err := getTokenInCookie(req, name)
if err != nil {
return token, false, err
}

return token, bearer, nil
return token, false, nil
phxql marked this conversation as resolved.
Show resolved Hide resolved
}

// getTokenInBearer retrieves a access token from the authorization header
Expand Down
4 changes: 3 additions & 1 deletion session_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,9 @@ func TestGetTokenInRequest(t *testing.T) {
})
}
}
access, bearer, err := getTokenInRequest(req, defaultName)

access, bearer, err := getTokenInRequest(req, defaultName, true)
phxql marked this conversation as resolved.
Show resolved Hide resolved

switch x.Error {
case nil:
assert.NoError(t, err, "case %d should not have thrown an error", i)
Expand Down