outposts/proxy: add X-Auth-Groups header to pass groups

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/providers/proxy/controllers/k8s/traefik.py

@@ -113,6 +113,7 @@ class TraefikMiddlewareReconciler(KubernetesObjectReconciler[TraefikMiddleware])
                     authResponseHeaders=[
                         "Set-Cookie",
                         "X-Auth-Username",
+                        "X-Auth-Groups",
                         "X-Forwarded-Email",
                         "X-Forwarded-Preferred-Username",
                         "X-Forwarded-User",

internal/outpost/proxy/claims.go

@@ -10,6 +10,7 @@ type Claims struct {
 	Proxy struct {
 		UserAttributes map[string]interface{} `json:"user_attributes"`
 	} `json:"ak_proxy"`
+	Groups []string `json:"groups"`
 }
 
 func (c *Claims) FromIDToken(idToken string) error {

internal/outpost/proxy/proxy.go

@@ -428,6 +428,10 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 	if err != nil {
 		log.WithError(err).Warning("Failed to parse IDToken")
 	}
+	// Set groups in header
+	groups := strings.Join(claims.Groups, "|")
+	req.Header["X-Auth-Groups"] = []string{groups}
+
 	userAttributes := claims.Proxy.UserAttributes
 	// Attempt to set basic auth based on user's attributes
 	if p.SetBasicAuth {
@@ -461,6 +465,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 func (p *OAuthProxy) stripAuthHeaders(req *http.Request) {
 	if p.PassUserHeaders {
 		req.Header.Del("X-Forwarded-User")
+		req.Header.Del("X-Auth-Groups")
 		req.Header.Del("X-Forwarded-Email")
 		req.Header.Del("X-Forwarded-Preferred-Username")
 	}