Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Forward original authorization header when using remote (json) authorizer #554

Merged
merged 3 commits into from
Oct 13, 2020
Merged

feat: Forward original authorization header when using remote (json) authorizer #554

merged 3 commits into from
Oct 13, 2020

Conversation

catper
Copy link
Contributor

@catper catper commented Oct 8, 2020

Related issue

#528

Proposed changes

Sometimes the user/subject from the authSession is not enough when attempting to make informed access control decisions. This PR grants access to the authorization header from the original request when using the remote and remote_json authorizers so that additional information can be extracted from the token if need be.

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further comments

n/a

zepatrik
zepatrik reviewed Oct 8, 2020
View reviewed changes
pipeline/authz/remote_json.go Outdated
@@ -84,6 +84,7 @@ func (a *AuthorizerRemoteJSON) Authorize(_ *http.Request, session *authn.Authent
return errors.WithStack(err)
}
req.Header.Add("Content-Type", "application/json")
req.Header.Add("Authorization", r.Header.Get("Authorization"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens when there is no Authorization header in the original request? Looks like it will still be set, then to an empty string?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mmm, that's not so nice i guess. changed to only forward if authz header is non-empty

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you maybe also add a test case for that? thanks 😉

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done!

zepatrik
zepatrik approved these changes Oct 9, 2020
View reviewed changes
Copy link
Member

@zepatrik zepatrik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, looking good 👍

@aeneasr aeneasr merged commit f4f781e into ory:master Oct 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

@zepatrik zepatrik zepatrik approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@catper @aeneasr @zepatrik