KEYCLOAK-12731 Add option 'UseAuthorizationHeader' to disable reading…

… token from Authorization header

This makes it possible to protect applications with the gatekeeper which use the Authorization header with their own JWT token. Default of this value is true (backward compatible).

config.go

@@ -38,6 +38,7 @@ func newDefaultConfig() *Config {
 		ClientAuthMethod:              authMethodBasic,
 		CookieAccessName:              accessCookie,
 		CookieRefreshName:             refreshCookie,
+		UseAuthorizationHeader:        true,
 		EnableAuthorizationCookies:    true,
 		EnableAuthorizationHeader:     true,
 		EnableDefaultDeny:             true,

doc.go

@@ -197,6 +197,9 @@ type Config struct {
 	// ResponseHeader is a map of response headers to add to the response
 	ResponseHeaders map[string]string `json:"response-headers" yaml:"response-headers" usage:"custom headers to added to the http response key=value"`
 
+	// UseAuthorizationHeader indicates if we should read the token from the Authorization header
+	UseAuthorizationHeader bool `json:"use-authorization-header" yaml:"use-authorization-header" usage:"indicates if we should read token from Authorization header" env:"USE_AUTHORIZATION_HEADER"`
+
 	// EnableSelfSignedTLS indicates we should create a self-signed ceritificate for the service
 	EnabledSelfSignedTLS bool `json:"enable-self-signed-tls" yaml:"enable-self-signed-tls" usage:"create self signed certificates for the proxy" env:"ENABLE_SELF_SIGNED_TLS"`
 	// SelfSignedTLSHostnames is the list of hostnames to place on the certificate

session.go

@@ -29,7 +29,7 @@ import (
 func (r *oauthProxy) getIdentity(req *http.Request) (*userContext, error) {
 	var isBearer bool
 	// step: check for a bearer token or cookie with jwt token
-	access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName)
+	access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName, r.config.UseAuthorizationHeader)
 	if err != nil {
 		return nil, err
 	}
@@ -69,18 +69,27 @@ func (r *oauthProxy) getRefreshTokenFromCookie(req *http.Request) (string, error
 }
 
 // getTokenInRequest returns the access token from the http request
-func getTokenInRequest(req *http.Request, name string) (string, bool, error) {
+func getTokenInRequest(req *http.Request, name string, useAuthorizationHeader bool) (string, bool, error) {
 	bearer := true
-	// step: check for a token in the authorization header
-	token, err := getTokenInBearer(req)
-	if err != nil {
-		if err != ErrSessionNotFound {
-			return "", false, err
-		}
-		if token, err = getTokenInCookie(req, name); err != nil {
-			return token, false, err
+	var token string
+	if useAuthorizationHeader {
+		// step: check for a token in the authorization header
+		token, err := getTokenInBearer(req)
+		if err != nil {
+			bearer = false
+			if err != ErrSessionNotFound {
+				return "", bearer, err
+			}
+			if token, err = getTokenInCookie(req, name); err != nil {
+				return token, bearer, err
+			}
 		}
+	} else {
+		// step: check for a token in cookie
 		bearer = false
+		if token, err := getTokenInCookie(req, name); err != nil {
+			return token, bearer, err
+		}
 	}
 
 	return token, bearer, nil

session_test.go

@@ -124,7 +124,7 @@ func TestGetTokenInRequest(t *testing.T) {
 				})
 			}
 		}
-		access, bearer, err := getTokenInRequest(req, defaultName)
+		access, bearer, err := getTokenInRequest(req, defaultName, true)
 		switch x.Error {
 		case nil:
 			assert.NoError(t, err, "case %d should not have thrown an error", i)