Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

Commit

Permalink
KEYCLOAK-12731 Add option 'UseAuthorizationHeader' to disable reading…
Browse files Browse the repository at this point in the history
… token from Authorization header

This makes it possible to protect applications with the gatekeeper which use the Authorization header with their own JWT token. Default of this value is true (backward compatible).
  • Loading branch information
phxql committed Jan 21, 2020
1 parent 29e8620 commit d69f646
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 14 deletions.
1 change: 1 addition & 0 deletions config.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ func newDefaultConfig() *Config {
ClientAuthMethod: authMethodBasic,
CookieAccessName: accessCookie,
CookieRefreshName: refreshCookie,
UseAuthorizationHeader: true,
EnableAuthorizationCookies: true,
EnableAuthorizationHeader: true,
EnableDefaultDeny: true,
Expand Down
3 changes: 3 additions & 0 deletions doc.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,9 @@ type Config struct {
// ResponseHeader is a map of response headers to add to the response
ResponseHeaders map[string]string `json:"response-headers" yaml:"response-headers" usage:"custom headers to added to the http response key=value"`

// UseAuthorizationHeader indicates if we should read the token from the Authorization header
UseAuthorizationHeader bool `json:"use-authorization-header" yaml:"use-authorization-header" usage:"indicates if we should read token from Authorization header" env:"USE_AUTHORIZATION_HEADER"`

// EnableSelfSignedTLS indicates we should create a self-signed ceritificate for the service
EnabledSelfSignedTLS bool `json:"enable-self-signed-tls" yaml:"enable-self-signed-tls" usage:"create self signed certificates for the proxy" env:"ENABLE_SELF_SIGNED_TLS"`
// SelfSignedTLSHostnames is the list of hostnames to place on the certificate
Expand Down
2 changes: 2 additions & 0 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,5 @@ require (
gopkg.in/resty.v1 v1.10.3
gopkg.in/yaml.v2 v2.2.2
)

go 1.13
1 change: 1 addition & 0 deletions server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -447,6 +447,7 @@ func newFakeKeycloakConfig() *Config {
CookieRefreshName: "kc-state",
DisableAllLogging: true,
DiscoveryURL: "127.0.0.1:0",
UseAuthorizationHeader: true,
EnableAuthorizationCookies: true,
EnableAuthorizationHeader: true,
EnableLogging: false,
Expand Down
37 changes: 24 additions & 13 deletions session.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ import (
func (r *oauthProxy) getIdentity(req *http.Request) (*userContext, error) {
var isBearer bool
// step: check for a bearer token or cookie with jwt token
access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName)
access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName, r.config.UseAuthorizationHeader)
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -69,21 +69,32 @@ func (r *oauthProxy) getRefreshTokenFromCookie(req *http.Request) (string, error
}

// getTokenInRequest returns the access token from the http request
func getTokenInRequest(req *http.Request, name string) (string, bool, error) {
bearer := true
// step: check for a token in the authorization header
token, err := getTokenInBearer(req)
if err != nil {
if err != ErrSessionNotFound {
return "", false, err
}
if token, err = getTokenInCookie(req, name); err != nil {
return token, false, err
func getTokenInRequest(req *http.Request, name string, useAuthorizationHeader bool) (string, bool, error) {
if useAuthorizationHeader {
// step: check for a token in the authorization header
bearer := true
token, err := getTokenInBearer(req)

if err != nil {
bearer = false

if err != ErrSessionNotFound {
return "", bearer, err
}

if token, err = getTokenInCookie(req, name); err != nil {
return token, bearer, err
}
}
bearer = false
return token, bearer, nil
}

return token, bearer, nil
// step: check for a token in cookie
token, err := getTokenInCookie(req, name)
if err != nil {
return token, false, err
}
return token, false, nil
}

// getTokenInBearer retrieves a access token from the authorization header
Expand Down
4 changes: 3 additions & 1 deletion session_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,9 @@ func TestGetTokenInRequest(t *testing.T) {
})
}
}
access, bearer, err := getTokenInRequest(req, defaultName)

access, bearer, err := getTokenInRequest(req, defaultName, true)

switch x.Error {
case nil:
assert.NoError(t, err, "case %d should not have thrown an error", i)
Expand Down

0 comments on commit d69f646

Please sign in to comment.