Allow configuration of returned auth proxy header #1839
Conversation
seuf
force-pushed
the
authproxy-header-configuration
branch
2 times, most recently
from
e86961d
to
8955390
Compare
|
Hi, Is it possible to review this ? we are using this branch in production for a few weeks now, and it works great. |
connector/authproxy/authproxy.go
Outdated
| type Config struct{} | ||
| type Config struct { | ||
| HeaderName string `json:"headerName"` | ||
| Groups []string `json:"groups"` |
There was a problem hiding this comment.
Can you please remove this change from this PR? It's not described anywhere and has nothing to do with headers.
There was a problem hiding this comment.
ok, I can split in 2 PR to add also the groups configuration.
There was a problem hiding this comment.
You can submit it in a separate PR, but we are working on #1841 which will add this feature generally to all connectors, so I'm not sure we'll be accepting any more config changes like this.
connector/authproxy/authproxy.go
Outdated
| @@ -14,16 +14,24 @@ import ( | |||
|
|
|||
| // Config holds the configuration parameters for a connector which returns an | |||
| // identity with the HTTP header X-Remote-User as verified email. | |||
| type Config struct{} | |||
| type Config struct { | |||
| HeaderName string `json:"headerName"` | |||
There was a problem hiding this comment.
I wonder if this should be called something like UserHeaderName or just UserHeader. Another common header name is X-Forwarded-Groups for group information.
connector/authproxy/authproxy.go
Outdated
|
|
||
| // Open returns an authentication strategy which requires no user interaction. | ||
| func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) { | ||
| return &callback{logger: logger, pathSuffix: "/" + id}, nil | ||
| if c.HeaderName == "" { |
There was a problem hiding this comment.
Note that this actually modifies the config. I think it would be better to create a local variable for the header and fall back to the default if it's empty.
There was a problem hiding this comment.
ok, I've used a default value in the callback directly without modifying the config.
Signed-off-by: seuf <seuf76@gmail.com>
Signed-off-by: seuf <seuf76@gmail.com>
Signed-off-by: seuf <seuf76@gmail.com>
Co-authored-by: Márk Sági-Kazár <sagikazarmark@users.noreply.github.com> Signed-off-by: seuf <seuf76@gmail.com>
seuf
force-pushed
the
authproxy-header-configuration
branch
from
fcc3164
to
e164bb3
Compare
The official docker release for this release can be pulled from ``` ghcr.io/dexidp/dex:v2.28.0 ``` **Features:** - Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA) - Allow configuration of returned auth proxy header (dexidp#1839, @seuf) - Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro) - Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer) - Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms) - Add gomplate to the docker image (dexidp#1893, @nabokihms) - Graceful shutdown (dexidp#1963, @nabokihms) - Allow public clients created with API to have no client_secret (dexidp#1871, @spohner) **Bugfixes:** - Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0) - Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms) - Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms) - Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms) - Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms) **Minor changes:** - Change default themes to light/dark (dexidp#1858, @nabokihms) - Various developer experience improvements - Dependency upgrades - Tons of small fixes and changes
This is a small PR to allow configuration of the header returned by the auth proxy.
We are using traefik as reverse proxy + traefik-forward-auth plugged on google to access our argocd interface.
But in traefik-forward-auth, the returned header after authentication is
X-Forwarded-User.With this feature, we can now login to argocd using the dex config :
dex will fetch the header set by traefik forward auth and authenticate the user with the correct user email.