Add AccessToken as fallback to Authorization header #875
Conversation
| @@ -1051,6 +1051,8 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req | |||
| if p.PassAuthorization { | |||
| if session.IDToken != "" { | |||
| req.Header["Authorization"] = []string{fmt.Sprintf("Bearer %s", session.IDToken)} | |||
| } else if session.AccessToken != "" { | |||
| req.Header["Authorization"] = []string{fmt.Sprintf("Bearer %s", session.AccessToken)} | |||
There was a problem hiding this comment.
@JoelSpeed I'll defer to you on whether to merge this or not since your refactor in #826 completely deletes this codepath.
Otherwise, seems sensible to me -- if we decide to move forward with this I'd like to see some unit tests added.
There was a problem hiding this comment.
I think given this would have to be considered a breaking change (people could start getting headers where they didn't before) and that we have the header work being done in #826 which would remove this anyway, we should not be accepting this change for now.
@kvaps For our next release we should have some alpha configuration that allows you to configure headers in a flexible way so that you can do this without the need for this addition.
The only case we haven't covered is fallback, ie, if the session field is empty, fallback to something else. I don't think this is desirable in most cases, unless you have something in particular in mind that justifies a fallback if a part of the session is empty?
|
This codepath has now gone with the merge of #826, before the next release we are going to introduce an advanced/alpha configuration for headers which in turn will allow this feature. I'm going to close this PR for now, if you feel this is inappropriate feel free to reopen/open an issue to discuss the desired feature. |
Description
This change allows to map Bearer token to Authorization header required by many applications including but not limited to Kubernetes.
Motivation and Context
As part of deprecating louketo-proxy (louketo/louketo-proxy#683), formely known as keycloak-gatekeeper, it is suggested to migrate to oauth-proxy.
Keycloak is issuing the tokens with
"typ": "Bearer", and louketo-proxy successfully passing them into application, however oauth2-proxy is not doing that.See #843 (comment) for more details.
fixes #843
fixes vmware-tanzu/kubeapps#2111
How Has This Been Tested?
Checklist: