Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

allow specifying additional headers for the oauth introspection request #302

Merged
merged 2 commits into from Nov 25, 2019
Merged
Changes from 1 commit
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

Next

allow specifying additional headers for the oauth introspection request

  • Loading branch information
paulbdavis committed Nov 16, 2019
commit a042a1d3fda95af14a894ea9642c3abd0d12ee7c
@@ -468,6 +468,11 @@
"type": "string"
}
},
"request_headers": {
"title": "Request Headers",
"description": "Additional headers to be added to the request to the OAuth2 Introspection URL",
"type": "object"

This comment has been minimized.

Copy link
@aeneasr

aeneasr Nov 19, 2019

Member

Could you add an example please?

"examples": [{ "X-Whatever": "foo" }]
},
"token_from": {
"title": "Token From",
"description": "The location of the token.\n If not configured, the token will be received from a default location - 'Authorization' header.\n One and only one location (header or query) must be specified.",
@@ -1242,4 +1247,4 @@
},
"required": [],
"additionalProperties": false
}
}
@@ -27,6 +27,7 @@ type AuthenticatorOAuth2IntrospectionConfiguration struct {
ScopeStrategy string `json:"scope_strategy"`
IntrospectionURL string `json:"introspection_url"`
BearerTokenLocation *helper.BearerTokenLocation `json:"token_from"`
RequestHeaders map[string]string `json:"request_headers"`
This conversation was marked as resolved by paulbdavis

This comment has been minimized.

Copy link
@aeneasr

aeneasr Nov 18, 2019

Member

Maybe introspection_request_headers to make it explicit that this is for the introspection request?

This comment has been minimized.

Copy link
@paulbdavis

paulbdavis Nov 18, 2019

Author Contributor

makes sense

}

type AuthenticatorOAuth2IntrospectionPreAuthConfiguration struct {
@@ -77,7 +78,16 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, config
}

body := url.Values{"token": {token}, "scope": {strings.Join(cf.Scopes, " ")}}
resp, err := a.client.Post(cf.IntrospectionURL, "application/x-www-form-urlencoded", strings.NewReader(body.Encode()))
introspectReq, err := http.NewRequest(http.MethodPost, cf.IntrospectionURL, strings.NewReader(body.Encode()))
if err != nil {
return nil, errors.WithStack(err)
}
for key, value := range cf.RequestHeaders {
introspectReq.Header.Set(key, value)
}
// set/override the content-type header
introspectReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
resp, err := a.client.Do(introspectReq)
if err != nil {
return nil, errors.WithStack(err)
}
@@ -96,7 +106,7 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, config
}

if !i.Active {
return nil, errors.WithStack(helper.ErrForbidden.WithReason("Access token i says token is not active"))
return nil, errors.WithStack(helper.ErrUnauthorized.WithReason("Access token i says token is not active"))

This comment has been minimized.

Copy link
@aeneasr

aeneasr Nov 19, 2019

Member
Suggested change
return nil, errors.WithStack(helper.ErrUnauthorized.WithReason("Access token i says token is not active"))
return nil, errors.WithStack(helper.ErrUnauthorized.WithReason("The provided Access Token is invalid, expired, or malformed."))
}

for _, audience := range cf.Audience {
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.