diff --git a/pipeline/authz/remote.go b/pipeline/authz/remote.go index 6251d27293..6a727e79c6 100644 --- a/pipeline/authz/remote.go +++ b/pipeline/authz/remote.go @@ -65,6 +65,10 @@ func (a *AuthorizerRemote) Authorize(r *http.Request, session *authn.Authenticat return errors.WithStack(err) } req.Header.Add("Content-Type", r.Header.Get("Content-Type")) + authz := r.Header.Get("Authorization") + if authz != "" { + req.Header.Add("Authorization", authz) + } for hdr, templateString := range c.Headers { var tmpl *template.Template diff --git a/pipeline/authz/remote_json.go b/pipeline/authz/remote_json.go index a673c54647..bf56473e8b 100644 --- a/pipeline/authz/remote_json.go +++ b/pipeline/authz/remote_json.go @@ -53,7 +53,7 @@ func (a *AuthorizerRemoteJSON) GetID() string { } // Authorize implements the Authorizer interface. -func (a *AuthorizerRemoteJSON) Authorize(_ *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error { +func (a *AuthorizerRemoteJSON) Authorize(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error { c, err := a.Config(config) if err != nil { return err @@ -84,6 +84,10 @@ func (a *AuthorizerRemoteJSON) Authorize(_ *http.Request, session *authn.Authent return errors.WithStack(err) } req.Header.Add("Content-Type", "application/json") + authz := r.Header.Get("Authorization") + if authz != "" { + req.Header.Add("Authorization", authz) + } res, err := a.client.Do(req) if err != nil { diff --git a/pipeline/authz/remote_json_test.go b/pipeline/authz/remote_json_test.go index b41cbe91fb..d1ceb1e056 100644 --- a/pipeline/authz/remote_json_test.go +++ b/pipeline/authz/remote_json_test.go @@ -87,6 +87,8 @@ func TestAuthorizerRemoteJSONAuthorize(t *testing.T) { return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { assert.Contains(t, r.Header, "Content-Type") assert.Contains(t, r.Header["Content-Type"], "application/json") + assert.Contains(t, r.Header, "Authorization") + assert.Contains(t, r.Header["Authorization"], "Bearer token") body, err := ioutil.ReadAll(r.Body) require.NoError(t, err) assert.Equal(t, string(body), "{}") @@ -139,7 +141,11 @@ func TestAuthorizerRemoteJSONAuthorize(t *testing.T) { p := configuration.NewViperProvider(logrusx.New("", "")) a := NewAuthorizerRemoteJSON(p) - if err := a.Authorize(&http.Request{}, tt.session, tt.config, &rule.Rule{}); (err != nil) != tt.wantErr { + if err := a.Authorize(&http.Request{ + Header: map[string][]string{ + "Authorization": {"Bearer token"}, + }, + }, tt.session, tt.config, &rule.Rule{}); (err != nil) != tt.wantErr { t.Errorf("Authorize() error = %v, wantErr %v", err, tt.wantErr) } }) diff --git a/pipeline/authz/remote_test.go b/pipeline/authz/remote_test.go index af514168cb..b93727d14d 100644 --- a/pipeline/authz/remote_test.go +++ b/pipeline/authz/remote_test.go @@ -92,6 +92,7 @@ func TestAuthorizerRemoteAuthorize(t *testing.T) { return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { assert.Contains(t, r.Header, "Content-Type") assert.Contains(t, r.Header["Content-Type"], "text/plain") + assert.Nil(t, r.Header["Authorization"]) body, err := ioutil.ReadAll(r.Body) require.NoError(t, err) assert.Equal(t, "testtest", string(body))