Send configured claims as headers to backends

mesosphere / traefik-forward-auth

214 stars 46 forks source link

Send configured claims as headers to backends #72

Open bennesp opened 2 years ago

bennesp commented 2 years ago

This PR add the possibility to configure generic claims to be passed to backends as headers.

It is related to this comment https://github.com/mesosphere/traefik-forward-auth/issues/64#issuecomment-1073260776 which is by far the most upvoted comment in this repository

Just as an example: if you set EXTRA_CLAIMS = "x-forwarded-locale:locale, x-forwarded-picture:picture" then your backends will receive two new headers: X-Forwarded-Locale, containing the value inside the locale claim, and X-Forwarded-Picture, containing the value inside the claim picture

Note: remember also to add authResponseHeaders or authResponseHeadersRegex to your middleware appropriately of course

thmo commented 1 year ago

This really looks useful - could you provide a build of it, maybe in your fork?

bennesp commented 1 year ago

Sure, here it is: ghcr.io/bennesp/traefik-forward-auth:v3.1.0-pr72. It is built by Github Actions

thmo commented 1 year ago

Thx!

dleske commented 1 year ago

Is there something holding this back (apart from devs' time of course)? So far as I can tell this would be the only way for me to receive claims about authenticated users from the identity providers--I am releasing information from the providers but can only get the username (e-mail) to my application.

bennesp commented 1 year ago

So far as I can tell this would be the only way for me to receive claims about authenticated users from the identity providers

I don’t think this is totally true. I recall a configuration variable (I think it was called FORWARD_TOKEN_HEADER_NAME) that you can use to choose the header where to receive the whole JWT in the backend.

Then, of course, your backend needs to decode the JWT, but after that (even without verifying it, if you trust the network) you will be able to access any claim defined in the JWT.

This of course doesn't prevent this PR to be reviewed and merged 😅

thmo commented 1 week ago

Would love to see this one merged...

bennesp commented 4 days ago

I considered this fork as unmaintained since I didn't see any new commits from 2022, but then in August I saw @mhrabovcin working on merging some PRs.

Maybe he can give a shot to this PR too? 🙏