[authproxy] Allow use both header group and config groups

Signed-off-by: Thierry Sallé <[email protected]>
dexidp · Jan 14, 2022 · 6d6f64a · 6d6f64a
1 parent 0bb8797
commit 6d6f64a
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -75,7 +75,7 @@ Dex implements the following connectors:
 | [Google](https://dexidp.io/docs/connectors/google/) | yes | yes | yes | alpha | |
 | [LinkedIn](https://dexidp.io/docs/connectors/linkedin/) | yes | no | no | beta | |
 | [Microsoft](https://dexidp.io/docs/connectors/microsoft/) | yes | yes | no | beta | |
-| [AuthProxy](https://dexidp.io/docs/connectors/authproxy/) | no | no | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. |
+| [AuthProxy](https://dexidp.io/docs/connectors/authproxy/) | no | yes | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. |
 | [Bitbucket Cloud](https://dexidp.io/docs/connectors/bitbucketcloud/) | yes | yes | no | alpha | |
 | [OpenShift](https://dexidp.io/docs/connectors/openshift/) | no | yes | no | alpha | |
 | [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassiancrowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config |

diff --git a/connector/authproxy/authproxy.go b/connector/authproxy/authproxy.go
@@ -15,8 +15,9 @@ import (
 // Config holds the configuration parameters for a connector which returns an
 // identity with the HTTP header X-Remote-User as verified email.
 type Config struct {
-	UserHeader string   `json:"userHeader"`
-	Groups     []string `json:"groups"`
+	UserHeader  string   `json:"userHeader"`
+	GroupHeader string   `json:"groupHeader"`
+	Groups      []string `json:"groups"`
 }
 
 // Open returns an authentication strategy which requires no user interaction.
@@ -25,17 +26,22 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
 	if userHeader == "" {
 		userHeader = "X-Remote-User"
 	}
+	groupHeader := c.GroupHeader
+	if groupHeader == "" {
+		groupHeader = "X-Remote-Group"
+	}
 
-	return &callback{userHeader: userHeader, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil
+	return &callback{userHeader: userHeader, groupHeader: groupHeader, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil
 }
 
 // Callback is a connector which returns an identity with the HTTP header
 // X-Remote-User as verified email.
 type callback struct {
-	userHeader string
-	groups     []string
-	logger     log.Logger
-	pathSuffix string
+	userHeader  string
+	groupHeader string
+	groups      []string
+	logger      log.Logger
+	pathSuffix  string
 }
 
 // LoginURL returns the URL to redirect the user to login with.
@@ -57,12 +63,17 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto
 	if remoteUser == "" {
 		return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader)
 	}
+	groups := m.groups
+	headerGroup := r.Header.Get(m.groupHeader)
+	if headerGroup != "" {
+		groups = append(groups, headerGroup)
+	}
 	// TODO: add support for X-Remote-Group, see
 	// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
 	return connector.Identity{
 		UserID:        remoteUser, // TODO: figure out if this is a bad ID value.
 		Email:         remoteUser,
 		EmailVerified: true,
-		Groups:        m.groups,
+		Groups:        groups,
 	}, nil
 }