Allow to pass user headers only (issue #205)

* This fixes https://github.com/bitly/oauth2_proxy/issues/205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy
2025-11-29 22:48:19 +02:00 · 2016-02-08 15:57:47 +00:00
parent 89ba1d813a
commit 24f91a0b60
6 changed files with 14 additions and 0 deletions
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -60,6 +60,7 @@ type OAuthProxy struct {
 	serveMux            http.Handler
 	PassBasicAuth       bool
 	SkipProviderButton  bool
+	PassUserHeaders     bool
 	BasicAuthPassword   string
 	PassAccessToken     bool
 	CookieCipher        *cookie.Cipher
@@ -194,6 +195,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
 		skipAuthRegex:      opts.SkipAuthRegex,
 		compiledRegex:      opts.CompiledRegex,
 		PassBasicAuth:      opts.PassBasicAuth,
+		PassUserHeaders:   opts.PassUserHeaders,
 		BasicAuthPassword:  opts.BasicAuthPassword,
 		PassAccessToken:    opts.PassAccessToken,
 		SkipProviderButton: opts.SkipProviderButton,
@@ -602,6 +604,12 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 			req.Header["X-Forwarded-Email"] = []string{session.Email}
 		}
 	}
+	if p.PassUserHeaders {
+		req.Header["X-Forwarded-User"] = []string{session.User}
+		if session.Email != "" {
+			req.Header["X-Forwarded-Email"] = []string{session.Email}
+		}
+	}
 	if p.PassAccessToken && session.AccessToken != "" {
 		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
 	}