feat: ability to disable passing of authorization header to downstrea…

…m service
shelmangroup · Sep 3, 2024 · 042c44f · 042c44f
1 parent 9989e24
commit 042c44f
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 17 deletions.
diff --git a/authz/authz.go b/authz/authz.go
@@ -111,7 +111,7 @@ func (s *Service) Check(ctx context.Context, req *connect.Request[auth.CheckRequ
 			attribute.String("cookie_name_prefix", provider.CookieNamePrefix),
 			attribute.String("pre_auth_policy", provider.PreAuthPolicy),
 			attribute.String("post_auth_policy", provider.PostAuthPolicy),
-			attribute.Bool("secure_cookie", provider.SecureCookie),
+			attribute.Bool("secure_cookie", provider.DisableSecureCookie),
 			attribute.StringSlice("scopes", provider.Scopes),
 			attribute.String("header_match_name", provider.HeaderMatch.Name),
 		),
@@ -283,9 +283,11 @@ func (s *Service) authProcess(ctx context.Context, req *auth.AttributeContext_Ht
 		return s.authResponse(false, envoy_type.StatusCode_Found, headers, nil, "redirect to Idp"), nil
 	}
 
-	slog.Debug("setting authorization header to upstream request")
+	if !provider.DisablePassAuthorizationHeader {
+		slog.Debug("setting authorization header to upstream request")
+		headers = append(headers, s.setAuthorizationHeader(sessionData.IdToken))
+	}
 	span.SetStatus(codes.Ok, "success")
-	headers = append(headers, s.setAuthorizationHeader(sessionData.IdToken))
 	return s.authResponse(true, envoy_type.StatusCode_OK, headers, nil, "success"), nil
 }
 
@@ -394,13 +396,18 @@ func (s *Service) newSession(ctx context.Context, requestedURL, sessionCookieNam
 	codeChallenge := storeKey[43:]
 	idpAuthURL := provider.p.IdpAuthURL(codeChallenge)
 	headers = append(headers, s.setRedirectHeader(idpAuthURL))
+
 	// set cookie with session id and redirect to Idp
+	var secureCookie bool
+	if !provider.DisableSecureCookie {
+		secureCookie = true
+	}
 	cookie := &http.Cookie{
 		Name:     sessionCookieName,
 		Value:    sessionToken,
 		Path:     "/",
 		HttpOnly: true,
-		Secure:   provider.SecureCookie,
+		Secure:   secureCookie,
 		SameSite: http.SameSiteLaxMode,
 	}
 

diff --git a/authz/config.go b/authz/config.go
@@ -27,17 +27,18 @@ type OIDCProvider struct {
 	preAuthPolicy  *policy.Policy
 	postAuthPolicy *policy.Policy
 
-	HeaderMatch      HeaderMatch  `yaml:"headerMatch"`
-	Logout           LogoutConfig `yaml:"logout"`
-	ClientID         string       `yaml:"clientID"`
-	CallbackURI      string       `yaml:"callbackURI"`
-	ClientSecret     string       `yaml:"clientSecret"`
-	CookieNamePrefix string       `yaml:"cookieNamePrefix"`
-	PreAuthPolicy    string       `yaml:"preAuthPolicy"`
-	PostAuthPolicy   string       `yaml:"postAuthPolicy"`
-	IssuerURL        string       `yaml:"issuerURL"`
-	Scopes           []string     `yaml:"scopes"`
-	SecureCookie     bool         `yaml:"secureCookie"`
+	HeaderMatch                    HeaderMatch  `yaml:"headerMatch"`
+	Logout                         LogoutConfig `yaml:"logout"`
+	ClientID                       string       `yaml:"clientID"`
+	CallbackURI                    string       `yaml:"callbackURI"`
+	ClientSecret                   string       `yaml:"clientSecret"`
+	CookieNamePrefix               string       `yaml:"cookieNamePrefix"`
+	PreAuthPolicy                  string       `yaml:"preAuthPolicy"`
+	PostAuthPolicy                 string       `yaml:"postAuthPolicy"`
+	IssuerURL                      string       `yaml:"issuerURL"`
+	Scopes                         []string     `yaml:"scopes"`
+	DisableSecureCookie            bool         `yaml:"disableSecureCookie"`
+	DisablePassAuthorizationHeader bool         `yaml:"disablePassAuthorizationHeader"`
 }
 
 type HeaderMatch struct {

diff --git a/run/config/providers.yaml b/run/config/providers.yaml
@@ -5,7 +5,8 @@ providers:
     clientID: podinfo
     # clientSecret: test1234 # omit for PKCE auth
     cookieNamePrefix: podinfo
-    # secureCookie: true # disable for local development
+    disableSecureCookie: true # disable for local development
+    # disablePassAuthorizationHeader: true # disable Authorization header passing to downstream service
     logout:
       redirectURI: http://localhost:5556/dex/end-session
       path: /_authz/logout

diff --git a/run/k8s/manifests/oidc-providers.yaml b/run/k8s/manifests/oidc-providers.yaml
@@ -5,7 +5,6 @@ providers:
   #   clientID: client-id
   #   clientSecret: secret
   #   cookieNamePrefix: test
-  #   secureCookie: true
   #   scopes:
   #     - openid
   #     - profile