Merge pull request #63 from ploxiln/skip_auth_skip_headers

new option --skip-auth-strip-headers
ploxiln · Jul 23, 2020 · 6279624 · 6279624
2 parents 6e28e7f + 1899b60
commit 6279624
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -318,6 +318,7 @@ Usage of oauth2_proxy:
   -signature-key string: GAP-Signature request signature key (algorithm:secretkey)
   -skip-auth-preflight: will skip authentication for OPTIONS requests
   -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times)
+  -skip-auth-strip-headers: strip upstream request http headers that are normally set by this proxy, also for requests allowed by --skip-auth-regex (default true)
   -skip-oidc-discovery: Skip OIDC discovery (login-url, redeem-url and oidc-jwks-url must be configured)
   -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start
   -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS

diff --git a/main.go b/main.go
@@ -39,6 +39,7 @@ func mainFlagSet() *flag.FlagSet {
 	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
 	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
 	flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
+	flagSet.Bool("skip-auth-strip-headers", true, "strip upstream request http headers that are normally set by this proxy, also for requests allowed by --skip-auth-regex")
 	flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start")
 	flagSet.Bool("skip-auth-preflight", false, "will skip authentication for OPTIONS requests")
 	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")

diff --git a/oauthproxy.go b/oauthproxy.go
@@ -73,6 +73,7 @@ type OAuthProxy struct {
 	ClientIPHeader      string
 	CookieCipher        *cookie.Cipher
 	skipAuthRegex       []string
+	skipAuthStripHdrs   bool
 	skipAuthPreflight   bool
 	compiledRegex       []*regexp.Regexp
 	templates           *template.Template
@@ -229,6 +230,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
 		redirectURL:        redirectURL,
 		whitelistDomains:   opts.WhitelistDomains,
 		skipAuthRegex:      opts.SkipAuthRegex,
+		skipAuthStripHdrs:  opts.SkipAuthStripHeaders,
 		skipAuthPreflight:  opts.SkipAuthPreflight,
 		compiledRegex:      opts.CompiledRegex,
 		SetXAuthRequest:    opts.SetXAuthRequest,
@@ -380,6 +382,22 @@ func (p *OAuthProxy) SaveSession(rw http.ResponseWriter, req *http.Request, s *p
 	return nil
 }
 
+func (p *OAuthProxy) stripAuthHeaders(req *http.Request) {
+	if !p.skipAuthStripHdrs {
+		return
+	}
+	if p.PassBasicAuth {
+		req.Header.Del("Authorization")
+	}
+	if p.PassUserHeaders {
+		req.Header.Del("X-Forwarded-User")
+		req.Header.Del("X-Forwarded-Email")
+	}
+	if p.PassAccessToken {
+		req.Header.Del("X-Forwarded-Access-Token")
+	}
+}
+
 func (p *OAuthProxy) RobotsTxt(rw http.ResponseWriter) {
 	rw.WriteHeader(http.StatusOK)
 	fmt.Fprintf(rw, "User-agent: *\nDisallow: /")
@@ -538,6 +556,7 @@ func (p *OAuthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	case path == p.PingPath:
 		p.PingPage(rw)
 	case p.IsWhitelistedRequest(req):
+		p.stripAuthHeaders(req)
 		p.serveMux.ServeHTTP(rw, req)
 	case path == p.SignInPath:
 		p.SignIn(rw, req)

diff --git a/options.go b/options.go
@@ -57,6 +57,7 @@ type Options struct {
 
 	Upstreams             []string `flag:"upstream" cfg:"upstreams"`
 	SkipAuthRegex         []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
+	SkipAuthStripHeaders  bool     `flag:"skip-auth-strip-headers" cfg:"skip_auth_strip_headers"`
 	PassBasicAuth         bool     `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
 	BasicAuthPassword     string   `flag:"basic-auth-password" cfg:"basic_auth_password"`
 	PassAccessToken       bool     `flag:"pass-access-token" cfg:"pass_access_token"`
@@ -118,6 +119,7 @@ func NewOptions() *Options {
 		CookieRefresh:        time.Duration(0),
 		SetXAuthRequest:      false,
 		SkipAuthPreflight:    false,
+		SkipAuthStripHeaders: true,
 		PassBasicAuth:        true,
 		PassUserHeaders:      true,
 		PassAccessToken:      false,