feat: forward original authorization header when using remote (json) …

…authorizer (#554) Closes #528
ory · Oct 13, 2020 · f4f781e · f4f781e
1 parent 408e9f2
commit f4f781e
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 2 deletions.
diff --git a/pipeline/authz/remote.go b/pipeline/authz/remote.go
@@ -65,6 +65,10 @@ func (a *AuthorizerRemote) Authorize(r *http.Request, session *authn.Authenticat
 		return errors.WithStack(err)
 	}
 	req.Header.Add("Content-Type", r.Header.Get("Content-Type"))
+	authz := r.Header.Get("Authorization")
+	if authz != "" {
+		req.Header.Add("Authorization", authz)
+	}
 
 	for hdr, templateString := range c.Headers {
 		var tmpl *template.Template

diff --git a/pipeline/authz/remote_json.go b/pipeline/authz/remote_json.go
@@ -53,7 +53,7 @@ func (a *AuthorizerRemoteJSON) GetID() string {
 }
 
 // Authorize implements the Authorizer interface.
-func (a *AuthorizerRemoteJSON) Authorize(_ *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
+func (a *AuthorizerRemoteJSON) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
 	c, err := a.Config(config)
 	if err != nil {
 		return err
@@ -84,6 +84,10 @@ func (a *AuthorizerRemoteJSON) Authorize(_ *http.Request, session *authn.Authent
 		return errors.WithStack(err)
 	}
 	req.Header.Add("Content-Type", "application/json")
+	authz := r.Header.Get("Authorization")
+	if authz != "" {
+		req.Header.Add("Authorization", authz)
+	}
 
 	res, err := a.client.Do(req)
 	if err != nil {

diff --git a/pipeline/authz/remote_json_test.go b/pipeline/authz/remote_json_test.go
@@ -87,6 +87,8 @@ func TestAuthorizerRemoteJSONAuthorize(t *testing.T) {
 				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					assert.Contains(t, r.Header, "Content-Type")
 					assert.Contains(t, r.Header["Content-Type"], "application/json")
+					assert.Contains(t, r.Header, "Authorization")
+					assert.Contains(t, r.Header["Authorization"], "Bearer token")
 					body, err := ioutil.ReadAll(r.Body)
 					require.NoError(t, err)
 					assert.Equal(t, string(body), "{}")
@@ -139,7 +141,11 @@ func TestAuthorizerRemoteJSONAuthorize(t *testing.T) {
 
 			p := configuration.NewViperProvider(logrusx.New("", ""))
 			a := NewAuthorizerRemoteJSON(p)
-			if err := a.Authorize(&http.Request{}, tt.session, tt.config, &rule.Rule{}); (err != nil) != tt.wantErr {
+			if err := a.Authorize(&http.Request{
+				Header: map[string][]string{
+					"Authorization": {"Bearer token"},
+				},
+			}, tt.session, tt.config, &rule.Rule{}); (err != nil) != tt.wantErr {
 				t.Errorf("Authorize() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})

diff --git a/pipeline/authz/remote_test.go b/pipeline/authz/remote_test.go
@@ -92,6 +92,7 @@ func TestAuthorizerRemoteAuthorize(t *testing.T) {
 				return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					assert.Contains(t, r.Header, "Content-Type")
 					assert.Contains(t, r.Header["Content-Type"], "text/plain")
+					assert.Nil(t, r.Header["Authorization"])
 					body, err := ioutil.ReadAll(r.Body)
 					require.NoError(t, err)
 					assert.Equal(t, "testtest", string(body))