diff --git a/proxy/pkg/proxy/claims.go b/proxy/pkg/proxy/claims.go
index 66bc18b9b..760c60182 100644
--- a/proxy/pkg/proxy/claims.go
+++ b/proxy/pkg/proxy/claims.go
@@ -8,7 +8,7 @@ import (
 
 type Claims struct {
 	Proxy struct {
-		UserAttributes map[string]string `json:"user_attributes"`
+		UserAttributes map[string]interface{} `json:"user_attributes"`
 	} `json:"pb_proxy"`
 }
 
diff --git a/proxy/pkg/proxy/proxy.go b/proxy/pkg/proxy/proxy.go
index 196e2c9eb..366c0a75e 100644
--- a/proxy/pkg/proxy/proxy.go
+++ b/proxy/pkg/proxy/proxy.go
@@ -413,27 +413,36 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 		req.Header.Del("X-Auth-Username")
 	}
 
+	claims := Claims{}
+	err := claims.FromIDToken(session.IDToken)
+	if err != nil {
+		log.WithError(err).Warning("Failed to parse IDToken")
+	}
+	userAttributes := claims.Proxy.UserAttributes
+	// Attempt to set basic auth based on user's attributes
 	if p.SetBasicAuth {
-		claims := Claims{}
-		err := claims.FromIDToken(session.IDToken)
-		if err != nil {
-			log.WithError(err).Warning("Failed to parse IDToken")
-		}
-
-		userAttributes := claims.Proxy.UserAttributes
 		var ok bool
 		var password string
-		if password, ok = userAttributes[p.BasicAuthPasswordAttribute]; !ok {
+		if password, ok = userAttributes[p.BasicAuthPasswordAttribute].(string); !ok {
 			password = ""
 		}
 		// Check if we should use email or a custom attribute as username
 		var username string
-		if username, ok = userAttributes[p.BasicAuthUserAttribute]; !ok {
+		if username, ok = userAttributes[p.BasicAuthUserAttribute].(string); !ok {
 			username = session.Email
 		}
 		authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
 		req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
 	}
+	// Check if user has additional headers set that we should sent
+	if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok {
+		if additionalHeaders == nil {
+			return
+		}
+		for key, value := range additionalHeaders {
+			req.Header.Set(key, value)
+		}
+	}
 }
 
 // stripAuthHeaders removes Auth headers for whitelisted routes from skipAuthRegex