Pass the raw ID Token to downstream requests

[SachinVarghese]

Is this a bug report or feature request?

• Feature Request

What should the feature do:
The auth service could pass the raw ID Token to downstream requests in the session_authenticator after verifying cookie in a header set as per env variable AUTH_HEADER

What is use case behind this feature:
Downstream requests behind this auth service could handle custom authorization if it has access to the whole IDToken and not just the username.

Additional Information:
This was being done previously but removed recently with the new updates as shown here

oidc-authservice/server.go

Line 102 in e0dac5d

w.Header().Set(s.userIDOpts.tokenHeader, session.Values["idtoken"].(string))

[yanniszark]

@SachinVarghese if I may ask, what do you need the IDToken for? You can get the ID from the HTTP headers (username and groups). Is there anything else missing?

[SachinVarghese]

Hi @yanniszark The IDToken provides additional info like user email and other extra details missing in the headers currently.

Also, more importantly, the raw ID token could be useful to make requests to another service behind the auth service. For example, a potential use case would be a Kubeflow pipeline task needing to make a Seldon Core inference using the same credentials as the user who triggered the pipeline run via the auth service. It would be great to know if you have any ideas.

[asetty]

Another thing enabled by forwarding the id token is that, if desired, the backend service could verify the token / signature for an extra layer of security.

[yanniszark]

@asetty @SachinVarghese thanks, I think this makes sense. The current authenticator abstraction can't access the ResponseWriter, so the first step would be to plumb it through and make it available in the authenticator code. Or alternatively, expose some functionality to set headers/cookies in the authenticator.