Forward X-Auth-Request-Id-Token header in oauth (#1126)

* forward X-Auth-Request-Id-Token header in oauth * Use appscode/oauth2_proxy:2.3.0 * Delete dockerfiles for appscode/oauth2_proxy
voyagermesh · Jun 20, 2018 · b11f9f8 · b11f9f8
1 parent 01c20d0
commit b11f9f8
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 27 deletions.
diff --git a/docs/guides/ingress/security/oauth-dashboard.md b/docs/guides/ingress/security/oauth-dashboard.md
@@ -70,7 +70,7 @@ spec:
         - name: OAUTH2_PROXY_CLIENT_SECRET
           value: ...
         - OAUTH2_PROXY_COOKIE_SECRET = ...
-        image: appscode/oauth2_proxy:2.2.0
+        image: appscode/oauth2_proxy:2.3.0
         imagePullPolicy: Always
         name: oauth2-proxy
         ports:

diff --git a/docs/guides/ingress/security/oauth-github.md b/docs/guides/ingress/security/oauth-github.md
@@ -59,6 +59,7 @@ spec:
         - --upstream=file:///dev/null
         - --http-address=0.0.0.0:4180
         - --cookie-secure=false
+        - --pass-id-token=true
         - --set-xauthrequest=true
         env:
         - name: OAUTH2_PROXY_CLIENT_ID
@@ -67,7 +68,7 @@ spec:
           value: ...
         - name: OAUTH2_PROXY_COOKIE_SECRET
           value: ...
-        image: appscode/oauth2_proxy:2.2.0
+        image: appscode/oauth2_proxy:2.3.0
         imagePullPolicy: Always
         name: oauth2-proxy
         ports:
@@ -90,7 +91,7 @@ spec:
     k8s-app: oauth2-proxy
 ```
 
-Here, `--set-xauthrequest` flag sets `X-Auth-Request-User` and `X-Auth-Request-User` headers, which will be forwarded to backend.
+Here, `--set-xauthrequest` flag sets `X-Auth-Request-User` and `X-Auth-Request-Email` headers, which will be forwarded to backend. It also sets `X-Auth-Request-Id-Token` header when `--pass-id-token` flag is `true`.
 
 Finally create the ingress:
 
@@ -193,7 +194,7 @@ spec:
         - name: OAUTH2_PROXY_CLIENT_SECRET
           value: ...
         - OAUTH2_PROXY_COOKIE_SECRET = ...
-        image: appscode/oauth2_proxy:2.2.0
+        image: appscode/oauth2_proxy:2.3.0
         imagePullPolicy: Always
         name: oauth2-proxy
         ports:

diff --git a/docs/guides/ingress/security/oauth-google.md b/docs/guides/ingress/security/oauth-google.md
@@ -59,6 +59,7 @@ spec:
         - --upstream=file:///dev/null
         - --http-address=0.0.0.0:4180
         - --cookie-secure=false
+        - --pass-id-token=true
         - --set-xauthrequest=true
         env:
         - name: OAUTH2_PROXY_CLIENT_ID
@@ -67,7 +68,7 @@ spec:
           value: ...
         - name: OAUTH2_PROXY_COOKIE_SECRET
           value: ...
-        image: appscode/oauth2_proxy:2.2.0
+        image: appscode/oauth2_proxy:2.3.0
         imagePullPolicy: Always
         name: oauth2-proxy
         ports:
@@ -90,7 +91,7 @@ spec:
     k8s-app: oauth2-proxy
 ```
 
-Here, `--set-xauthrequest` flag sets `X-Auth-Request-User` and `X-Auth-Request-User` headers, which will be forwarded to backend.
+Here, `--set-xauthrequest` flag sets `X-Auth-Request-User` and `X-Auth-Request-Email` headers, which will be forwarded to backend. It also sets `X-Auth-Request-Id-Token` header when `--pass-id-token` flag is `true`.
 
 Finally create the ingress:
 
@@ -193,7 +194,7 @@ spec:
         - name: OAUTH2_PROXY_CLIENT_SECRET
           value: ...
         - OAUTH2_PROXY_COOKIE_SECRET = ...
-        image: appscode/oauth2_proxy:2.2.0
+        image: appscode/oauth2_proxy:2.3.0
         imagePullPolicy: Always
         name: oauth2-proxy
         ports:

diff --git a/hack/docker/oauth2-proxy/Dockerfile b/hack/docker/oauth2-proxy/Dockerfile
diff --git a/hack/docker/oauth2-proxy/build.sh b/hack/docker/oauth2-proxy/build.sh
diff --git a/hack/docker/voyager/templates/http-frontend.cfg b/hack/docker/voyager/templates/http-frontend.cfg
@@ -90,6 +90,7 @@ frontend {{ .FrontendName }}
 	http-request redirect location {{ $host.ExternalAuth.SigninPath }}?rd=%[path] if acl_{{ $host.Host | acl_name }} ! acl_{{ $host.Host | acl_name }}_auth_backend_path acl_{{ $host.Host | acl_name }}_secure_paths ! { var(txn.auth_response_successful) -m bool }
 	http-request set-header X-Auth-Request-Email %[var(txn.auth_response_email)] if acl_{{ $host.Host | acl_name }} ! acl_{{ $host.Host | acl_name }}_auth_backend_path acl_{{ $host.Host | acl_name }}_secure_paths { var(txn.auth_response_email) -m found }
 	http-request set-header X-Auth-Request-User %[var(txn.auth_response_user)] if acl_{{ $host.Host | acl_name }} ! acl_{{ $host.Host | acl_name }}_auth_backend_path acl_{{ $host.Host | acl_name }}_secure_paths { var(txn.auth_response_user) -m found }
+	http-request set-header X-Auth-Request-Id-Token %[var(txn.auth_response_id_token)] if acl_{{ $host.Host | acl_name }} ! acl_{{ $host.Host | acl_name }}_auth_backend_path acl_{{ $host.Host | acl_name }}_secure_paths { var(txn.auth_response_id_token) -m found }
 	{{ end }}
 
 	{{ range $path := $host.Paths }}