Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Injected headers not forwarded to underlying application. #346

Open
MrChadMWood opened this issue Jun 17, 2024 · 0 comments
Open

Injected headers not forwarded to underlying application. #346

MrChadMWood opened this issue Jun 17, 2024 · 0 comments
Assignees
@greenpau
Labels
breakfix need triage

Comments

@MrChadMWood
Copy link

MrChadMWood commented Jun 17, 2024
edited
Loading

Describe the issue
Directive to add inject headers does not seem to make the headers appear for the application.

Configuration

{
	order authenticate before respond
	order authorize before basicauth

  security {
		oauth identity provider cognito-idp {
			driver cognito
			realm cognito-idp
			client_id {env.COGNITO_CLIENT_ID}
			client_secret {env.COGNITO_CLIENT_SECRET}
			user_pool_id {env.COGNITO_POOL_ID}
			region us-west-1
			icon "AWS Cognito US" "aws"
		}

		authentication portal cognito-portal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider cognito-idp
			cookie domain mysite.link
            transform user {
				match realm cognito-idp
				action add role authp/user
			}
			transform user {
				match email [email protected]
				action add role authp/admin
			}
		}

		authorization policy cognito-auth-user {
			set auth url https://auth.mysite.link
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			inject header "X-User-Email" from "userinfo|email"
		}

        authorization policy cognito-auth-admin {
			set auth url https://auth.mysite.link
			allow roles authp/admin
			crypto key verify {env.JWT_SHARED_KEY}
			inject header "X-User-Email" from "userinfo|email"
		}
	}
}

(tls_config) {
	tls {
    dns route53 {
      max_retries 10
    }
  }
}

auth.mysite.link {
  import tls_config
  route {
	authenticate with cognito-portal
  }
}

app.mysite.link {
  import tls_config
  authorize with cognito-auth-admin
  reverse_proxy 10.0.2.209:80
}

Version Information

caddy list-modules --versions | grep -E "(auth|security)" below:

/etc/caddy # caddy list-modules --versions | grep -E "(auth|security)"
http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

Perhaps I am misunderstanding, but I expected the header to be propagated down to the application being proxied to.

Authorization policy contains:

inject header "X-User-Email" from "userinfo|email"

app.mysite.link would get this header:

{"X-User-Email": "[email protected]"}

Additional context

Possible duplicate of: #325
I don't know if the solution there will work in my case. It seems to be concerning redirects. I just want the user email available from a header, for the application being proxied to
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
breakfix need triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@greenpau @MrChadMWood