outposts/proxy: add X-Auth-Groups header to pass groups

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-07-22 10:47:58 +02:00 · 2021-07-22 10:47:58 +02:00 · 66bfa6879d
parent c05240afbf
commit 66bfa6879d
3 changed files with 7 additions and 0 deletions
--- a/authentik/providers/proxy/controllers/k8s/traefik.py
+++ b/authentik/providers/proxy/controllers/k8s/traefik.py
@ -113,6 +113,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
                    authResponseHeaders=[
                        "Set-Cookie",
                        "X-Auth-Username",
+                        "X-Auth-Groups",
                        "X-Forwarded-Email",
                        "X-Forwarded-Preferred-Username",
                        "X-Forwarded-User",
--- a/internal/outpost/proxy/claims.go
+++ b/internal/outpost/proxy/claims.go
@ -10,6 +10,7 @@ type Claims struct {
 	Proxy struct {
 		UserAttributes map[string]interface{} `json:"user_attributes"`
 	} `json:"ak_proxy"`
+	Groups []string `json:"groups"`
 }

 func (c *Claims) FromIDToken(idToken string) error {
--- a/internal/outpost/proxy/proxy.go
+++ b/internal/outpost/proxy/proxy.go
@ -428,6 +428,10 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 	if err != nil {
 		log.WithError(err).Warning("Failed to parse IDToken")
 	}
+	// Set groups in header
+	groups := strings.Join(claims.Groups, "|")
+	req.Header["X-Auth-Groups"] = []string{groups}
+
 	userAttributes := claims.Proxy.UserAttributes
 	// Attempt to set basic auth based on user's attributes
 	if p.SetBasicAuth {
@ -461,6 +465,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 func (p *OAuthProxy) stripAuthHeaders(req *http.Request) {
 	if p.PassUserHeaders {
 		req.Header.Del("X-Forwarded-User")
+		req.Header.Del("X-Auth-Groups")
 		req.Header.Del("X-Forwarded-Email")
 		req.Header.Del("X-Forwarded-Preferred-Username")
 	}