Injected headers not forwarded to underlying application.

Question

Injected headers not forwarded to underlying application.

MrChadMWood opened this issue 5 months ago · 0 comments

Describe the issue
Directive to add inject headers does not seem to make the headers appear for the application.

Configuration

{
	order authenticate before respond
	order authorize before basicauth

  security {
		oauth identity provider cognito-idp {
			driver cognito
			realm cognito-idp
			client_id {env.COGNITO_CLIENT_ID}
			client_secret {env.COGNITO_CLIENT_SECRET}
			user_pool_id {env.COGNITO_POOL_ID}
			region us-west-1
			icon "AWS Cognito US" "aws"
		}

		authentication portal cognito-portal {
			crypto default token lifetime 3600
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity provider cognito-idp
			cookie domain mysite.link
            transform user {
				match realm cognito-idp
				action add role authp/user
			}
			transform user {
				match email thisisme@mysite.link
				action add role authp/admin
			}
		}

		authorization policy cognito-auth-user {
			set auth url https://auth.mysite.link
			allow roles authp/admin authp/user
			crypto key verify {env.JWT_SHARED_KEY}
			inject header "X-User-Email" from "userinfo|email"
		}

        authorization policy cognito-auth-admin {
			set auth url https://auth.mysite.link
			allow roles authp/admin
			crypto key verify {env.JWT_SHARED_KEY}
			inject header "X-User-Email" from "userinfo|email"
		}
	}
}

(tls_config) {
	tls {
    dns route53 {
      max_retries 10
    }
  }
}

auth.mysite.link {
  import tls_config
  route {
	authenticate with cognito-portal
  }
}

app.mysite.link {
  import tls_config
  authorize with cognito-auth-admin
  reverse_proxy 10.0.2.209:80
}

Version Information

caddy list-modules --versions | grep -E "(auth|security)" below:

/etc/caddy # caddy list-modules --versions | grep -E "(auth|security)"
http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

Perhaps I am misunderstanding, but I expected the header to be propagated down to the application being proxied to.

Authorization policy contains:

inject header "X-User-Email" from "userinfo|email"

app.mysite.link would get this header:

{"X-User-Email": "thisisme@mysite.link"}

Additional context

Possible duplicate of: #325
I don't know if the solution there will work in my case. It seems to be concerning redirects. I just want the user email available from a header, for the application being proxied to