feat: forward auth

Add support for request headers and response client headers.
2025-05-31 04:37:20 +02:00 · 2025-04-21 15:23:32 +10:00 · 2025-04-21 15:23:32 +10:00 · 3f1c50c009
commit 3f1c50c009
parent 8f046a0b47
5 changed files with 78 additions and 17 deletions
--- a/src/mod/auth/sso/forward/const.go
+++ b/src/mod/auth/sso/forward/const.go
@ -9,6 +9,8 @@ const (

 	DatabaseKeyAddress                = "address"
 	DatabaseKeyResponseHeaders        = "responseHeaders"
+	DatabaseKeyResponseClientHeaders  = "responseClientHeaders"
+	DatabaseKeyRequestHeaders         = "requestHeaders"
 	DatabaseKeyRequestExcludedCookies = "requestExcludedCookies"

 	HeaderXForwardedProto  = "X-Forwarded-Proto"
--- a/src/mod/auth/sso/forward/forward.go
+++ b/src/mod/auth/sso/forward/forward.go
@ -20,6 +20,14 @@ type AuthRouterOptions struct {
 	// the request.
 	ResponseHeaders []string

+	// ResponseClientHeaders is a list of headers to be copied from the response if provided by the forward auth
+	// endpoint to the response to the client.
+	ResponseClientHeaders []string
+
+	// RequestHeaders is a list of headers to be copied from the request to the authorization server. If empty all
+	// headers are copied.
+	RequestHeaders []string
+
 	// RequestExcludedCookies is a list of cookie keys that should be removed from every request sent to the upstream.
 	RequestExcludedCookies []string

@ -39,12 +47,16 @@ func NewAuthRouter(options *AuthRouterOptions) *AuthRouter {
 	//Read settings from database if available.
 	options.Database.Read(DatabaseTable, DatabaseKeyAddress, &options.Address)

-	responseHeaders, requestExcludedCookies := "", ""
+	responseHeaders, responseClientHeaders, requestHeaders, requestExcludedCookies := "", "", "", ""

-	options.Database.Read(DatabaseTable, DatabaseKeyResponseHeaders, responseHeaders)
-	options.Database.Read(DatabaseTable, DatabaseKeyRequestExcludedCookies, requestExcludedCookies)
+	options.Database.Read(DatabaseTable, DatabaseKeyResponseHeaders, &responseHeaders)
+	options.Database.Read(DatabaseTable, DatabaseKeyResponseClientHeaders, &responseClientHeaders)
+	options.Database.Read(DatabaseTable, DatabaseKeyRequestHeaders, &requestHeaders)
+	options.Database.Read(DatabaseTable, DatabaseKeyRequestExcludedCookies, &requestExcludedCookies)

 	options.ResponseHeaders = strings.Split(responseHeaders, ",")
+	options.ResponseClientHeaders = strings.Split(responseHeaders, ",")
+	options.RequestHeaders = strings.Split(requestHeaders, ",")
 	options.RequestExcludedCookies = strings.Split(requestExcludedCookies, ",")

 	return &AuthRouter{
@ -73,6 +85,8 @@ func (ar *AuthRouter) handleOptionsGET(w http.ResponseWriter, r *http.Request) {
 	js, _ := json.Marshal(map[string]interface{}{
 		DatabaseKeyAddress:                ar.options.Address,
 		DatabaseKeyResponseHeaders:        ar.options.ResponseHeaders,
+		DatabaseKeyResponseClientHeaders:  ar.options.ResponseClientHeaders,
+		DatabaseKeyRequestHeaders:         ar.options.RequestHeaders,
 		DatabaseKeyRequestExcludedCookies: ar.options.RequestExcludedCookies,
 	})

@ -90,18 +104,23 @@ func (ar *AuthRouter) handleOptionsPOST(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	// These are optional fields.
+	// These are optional fields and can be empty strings.
 	responseHeaders, _ := utils.PostPara(r, DatabaseKeyResponseHeaders)
+	responseClientHeaders, _ := utils.PostPara(r, DatabaseKeyResponseHeaders)
+	requestHeaders, _ := utils.PostPara(r, DatabaseKeyRequestHeaders)
 	requestExcludedCookies, _ := utils.PostPara(r, DatabaseKeyRequestExcludedCookies)

 	// Write changes to runtime
 	ar.options.Address = address
 	ar.options.ResponseHeaders = strings.Split(responseHeaders, ",")
+	ar.options.RequestHeaders = strings.Split(requestHeaders, ",")
 	ar.options.RequestExcludedCookies = strings.Split(requestExcludedCookies, ",")

 	// Write changes to database
 	ar.options.Database.Write(DatabaseTable, DatabaseKeyAddress, address)
 	ar.options.Database.Write(DatabaseTable, DatabaseKeyResponseHeaders, responseHeaders)
+	ar.options.Database.Write(DatabaseTable, DatabaseKeyResponseClientHeaders, responseClientHeaders)
+	ar.options.Database.Write(DatabaseTable, DatabaseKeyRequestHeaders, requestHeaders)
 	ar.options.Database.Write(DatabaseTable, DatabaseKeyRequestExcludedCookies, requestExcludedCookies)

 	utils.SendOK(w)
@ -134,8 +153,7 @@ func (ar *AuthRouter) HandleAuthProviderRouting(w http.ResponseWriter, r *http.R
 	}

 	// TODO: Add opt-in support for copying the request body to the forward auth request.
-	// TODO: Add support for customizing which headers are copied from the request to the forward auth request.
-	headerCopyExcluded(r.Header, req.Header, nil)
+	headerCopyIncluded(r.Header, req.Header, ar.options.RequestHeaders, true)

 	// TODO: Add support for upstream headers.
 	rSetForwardedHeaders(r, req)
@ -163,16 +181,20 @@ func (ar *AuthRouter) HandleAuthProviderRouting(w http.ResponseWriter, r *http.R

 	// Responses within the 200-299 range are considered successful and allow the proxy to handle the request.
 	if respForwarded.StatusCode >= http.StatusOK && respForwarded.StatusCode < http.StatusMultipleChoices {
-		// TODO: Add support for copying response headers to the response (in the user agent), not just the request.
+		if len(ar.options.ResponseClientHeaders) != 0 {
+			headerCopyIncluded(respForwarded.Header, w.Header(), ar.options.ResponseClientHeaders, false)
+		}

-		if len(ar.options.ResponseHeaders) != 0 {
+		if len(ar.options.RequestExcludedCookies) != 0 {
 			// If the user has specified a list of cookies to be removed from the request, deterministically remove them.
 			headerCookieRedact(r, ar.options.RequestExcludedCookies)
 		}

-		// Copy specific user-specified headers from the response of the forward auth request to the request sent to the
-		// upstream server/next hop.
-		headerCopyIncluded(respForwarded.Header, w.Header(), ar.options.ResponseHeaders)
+		if len(ar.options.ResponseHeaders) != 0 {
+			// Copy specific user-specified headers from the response of the forward auth request to the request sent to the
+			// upstream server/next hop.
+			headerCopyIncluded(respForwarded.Header, w.Header(), ar.options.ResponseHeaders, false)
+		}

 		return nil
 	}
@ -235,18 +257,35 @@ func headerCopyExcluded(original, destination http.Header, excludedHeaders []str
 	}
 }

-func headerCopyIncluded(original, destination http.Header, includedHeaders []string) {
+func headerCopyIncluded(original, destination http.Header, includedHeaders []string, allIfEmpty bool) {
+	if allIfEmpty && len(includedHeaders) == 0 {
+		headerCopyAll(original, destination)
+	} else {
+		headerCopyIncludedExact(original, destination, includedHeaders)
+	}
+}
+
+func headerCopyAll(original, destination http.Header) {
 	for key, values := range original {
 		// We should never copy the headers in the below list, even if they're in the list provided by a user.
 		if stringInSliceFold(key, doNotCopyHeaders) {
 			continue
 		}

-		if !stringInSliceFold(key, includedHeaders) {
+		destination[key] = append(destination[key], values...)
+	}
+}
+
+func headerCopyIncludedExact(original, destination http.Header, keys []string) {
+	for _, key := range keys {
+		// We should never copy the headers in the below list, even if they're in the list provided by a user.
+		if stringInSliceFold(key, doNotCopyHeaders) {
 			continue
 		}

-		destination[key] = append(destination[key], values...)
+		if values, ok := original[key]; ok {
+			destination[key] = append(destination[key], values...)
+		}
 	}
 }

--- a/src/mod/dynamicproxy/default.go
+++ b/src/mod/dynamicproxy/default.go
@ -23,6 +23,8 @@ func GetDefaultAuthenticationProvider() *AuthenticationProvider {
 		BasicAuthGroupIDs:                 []string{},
 		ForwardAuthURL:                    "",
 		ForwardAuthResponseHeaders:        []string{},
+		ForwardAuthResponseClientHeaders:  []string{},
+		ForwardAuthRequestHeaders:         []string{},
 		ForwardAuthRequestExcludedCookies: []string{},
 	}
 }
--- a/src/mod/dynamicproxy/typedef.go
+++ b/src/mod/dynamicproxy/typedef.go
@ -155,6 +155,8 @@ type AuthenticationProvider struct {
 	/* Forward Auth Settings */
 	ForwardAuthURL                    string   // Full URL of the Forward Auth endpoint. Example: https://auth.example.com/api/authz/forward-auth
 	ForwardAuthResponseHeaders        []string // List of headers to copy from the forward auth server response to the request.
+	ForwardAuthResponseClientHeaders  []string // List of headers to copy from the forward auth server response to the client response.
+	ForwardAuthRequestHeaders         []string // List of headers to copy from the original request to the auth server. If empty all are copied.
 	ForwardAuthRequestExcludedCookies []string // List of cookies to exclude from the request after sending it to the forward auth server.
 }

--- a/src/web/components/sso.html
+++ b/src/web/components/sso.html
@ -41,12 +41,22 @@
                    <div class="field">
                        <label for="forwardAuthResponseHeaders">Response Headers</label>
                        <input type="text" id="forwardAuthResponseHeaders" name="forwardAuthResponseHeaders" placeholder="Enter Forward Auth Response Headers">
-                        <small>Comma separated list of case-insensitive headers to copy from the authorization servers response, to the request to the backend. <strong>Example:</strong> <code>Remote-User,Remote-Groups,Remote-Email,Remote-Name</code></small>
+                        <small>Comma separated list of case-insensitive headers to copy from the authorization servers response to the request sent to the backend. If not set no headers are copied. <strong>Example:</strong> <code>Remote-User,Remote-Groups,Remote-Email,Remote-Name</code></small>
+                    </div>
+                    <div class="field">
+                        <label for="forwardAuthResponseClientHeaders">Response Client Headers</label>
+                        <input type="text" id="forwardAuthResponseClientHeaders" name="forwardAuthResponseClientHeaders" placeholder="Enter Forward Auth Response Client Headers">
+                        <small>Comma separated list of case-insensitive headers to copy from the authorization servers response to the response sent to the client. If not set no headers are copied. <strong>Example:</strong> <code>Set-Cookie,WWW-Authenticate</code></small>
+                    </div>
+                    <div class="field">
+                        <label for="forwardAuthRequestHeaders">Request Headers</label>
+                        <input type="text" id="forwardAuthRequestHeaders" name="forwardAuthRequestHeaders" placeholder="Enter Forward Auth Request Headers">
+                        <small>Comma separated list of case-insensitive headers to copy from the original request to the request made to the authorization server. If not set all headers are copied. <strong>Example:</strong> <code>Cookie,Authorization</code></small>
                    </div>
                    <div class="field">
                        <label for="forwardAuthRequestExcludedCookies">Request Excluded Cookies</label>
                        <input type="text" id="forwardAuthRequestExcludedCookies" name="forwardAuthRequestExcludedCookies" placeholder="Enter Forward Auth Request Excluded Cookies">
-                        <small>Comma separated list of case-sensitive cookie names to exclude from the request to the backend. <strong>Example:</strong> <code>authelia_session,another_session</code></small>
+                        <small>Comma separated list of case-sensitive cookie names to exclude from the request to the backend. If not set no cookies are excluded. <strong>Example:</strong> <code>authelia_session,another_session</code></small>
                    </div>
                </div>
            </div><br />
@ -65,6 +75,8 @@
            success: function(data) {
                $('#forwardAuthAddress').val(data.address);
                $('#forwardAuthResponseHeaders').val(data.responseHeaders.join(","));
+                $('#forwardAuthResponseClientHeaders').val(data.responseClientHeaders.join(","));
+                $('#forwardAuthRequestHeaders').val(data.requestHeaders.join(","));
                $('#forwardAuthRequestExcludedCookies').val(data.requestExcludedCookies.join(","));
            },
            error: function(jqXHR, textStatus, errorThrown) {
@ -76,9 +88,11 @@
    function updateForwardAuthSettings() {
        const address = $('#forwardAuthAddress').val();
        const responseHeaders = $('#forwardAuthResponseHeaders').val();
+        const responseClientHeaders = $('#forwardAuthResponseClientHeaders').val();
+        const requestHeaders = $('#forwardAuthRequestHeaders').val();
        const requestExcludedCookies = $('#forwardAuthRequestExcludedCookies').val();

-        console.log(`Updating Forward Auth settings. Address: ${address}. Response Headers: ${responseHeaders}. Request Excluded Cookies: ${requestExcludedCookies}.`);
+        console.log(`Updating Forward Auth settings. Address: ${address}. Response Headers: ${responseHeaders}. Response Client Headers: ${responseClientHeaders}. Request Headers: ${requestHeaders}. Request Excluded Cookies: ${requestExcludedCookies}.`);

        $.cjax({
            url: '/api/sso/forward-auth',
@ -86,6 +100,8 @@
            data: {
                address: address,
                responseHeaders: responseHeaders,
+                responseClientHeaders: responseClientHeaders,
+                requestHeaders: requestHeaders,
                requestExcludedCookies: requestExcludedCookies
            },
            success: function(data) {