outposts/proxy: add additional headers

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-12-01 20:19:09 +01:00 · 2021-12-01 20:19:09 +01:00 · 60b95271eb
parent 382b0e8941
commit 60b95271eb
4 changed files with 55 additions and 9 deletions
--- a/authentik/providers/proxy/api.py
+++ b/authentik/providers/proxy/api.py
@ -3,7 +3,7 @@ from typing import Any, Optional

 from drf_spectacular.utils import extend_schema_field
 from rest_framework.exceptions import ValidationError
-from rest_framework.fields import CharField, ListField, SerializerMethodField
+from rest_framework.fields import CharField, ListField, ReadOnlyField, SerializerMethodField
 from rest_framework.serializers import ModelSerializer
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet

@ -109,6 +109,9 @@ class ProxyProviderViewSet(UsedByMixin, ModelViewSet):
 class ProxyOutpostConfigSerializer(ModelSerializer):
    """Proxy provider serializer for outposts"""

+    assigned_application_slug = ReadOnlyField(source="application.slug")
+    assigned_application_name = ReadOnlyField(source="application.name")
+
    oidc_configuration = SerializerMethodField()
    token_validity = SerializerMethodField()
    scopes_to_request = SerializerMethodField()
@ -152,6 +155,8 @@ class ProxyOutpostConfigSerializer(ModelSerializer):
            "cookie_domain",
            "token_validity",
            "scopes_to_request",
+            "assigned_application_slug",
+            "assigned_application_name",
        ]


--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@ -24,6 +24,11 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	headers.Set("X-authentik-name", c.Name)
 	headers.Set("X-authentik-uid", c.Sub)

+	// System headers
+	headers.Set("X-authentik-meta-outpost", a.outpostName)
+	headers.Set("X-authentik-meta-provider", a.proxyConfig.Name)
+	headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
+
 	userAttributes := c.Proxy.UserAttributes
 	// Attempt to set basic auth based on user's attributes
 	if *a.proxyConfig.BasicAuthEnabled {
--- a/schema.yml
+++ b/schema.yml
@ -28984,7 +28984,17 @@ components:
          items:
            type: string
          readOnly: true
+        assigned_application_slug:
+          type: string
+          description: Internal application name, used in URLs.
+          readOnly: true
+        assigned_application_name:
+          type: string
+          description: Application's display Name.
+          readOnly: true
      required:
+      - assigned_application_name
+      - assigned_application_slug
      - external_host
      - name
      - oidc_configuration
--- a/website/docs/providers/proxy/proxy.md
+++ b/website/docs/providers/proxy/proxy.md
@ -2,20 +2,46 @@
 title: Overview
 ---

-The proxy outpost sets the following headers:
+The proxy outpost sets the following user-specific headers:

-```
-X-authentik-username: akadmin # The username of the currently logged in user
-X-authentik-groups: foo|bar|baz # The groups the user is member of, separated by a pipe
-X-authentik-email: root@localhost # The email address of the currently logged in user
-X-authentik-name: authentik Default Admin # Full name of the current user
-X-authentik-uid: 900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb # The hashed identifier of the currently logged in user.
-```
+- X-authentik-username: `akadmin`
+
+    The username of the currently logged in user
+
+- X-authentik-groups: `foo|bar|baz`
+
+    The groups the user is member of, separated by a pipe
+
+- X-authentik-email: `root@localhost`
+
+    The email address of the currently logged in user
+
+- X-authentik-name: `authentik Default Admin`
+
+    Full name of the current user
+
+- X-authentik-uid: `900347b8a29876b45ca6f75722635ecfedf0e931c6022e3a29a8aa13fb5516fb`
+
+    The hashed identifier of the currently logged in user.

 Additionally, you can set `additionalHeaders` on groups or users to set additional headers.

 If you enable *Set HTTP-Basic Authentication* option, the HTTP Authorization header is being set.

+Besides these user-specific headers, some application specific headers are also set:
+
+- X-authentik-meta-outpost: `authentik Embedded Outpost`
+
+    The authentik outpost's name.
+
+- X-authentik-meta-provider: `test`
+
+    The authentik provider's name.
+
+- X-authentik-meta-app: `test`
+
+    The authentik application's slug.
+
 # HTTPS

 The outpost listens on both 9000 for HTTP and 9443 for HTTPS.