Support custom authorization header for access token extraction (#63)

* add: Support custom authorization header for access token extraction

Signed-off-by: fsul7o <[email protected]>

* fix go.mod

Signed-off-by: fsul7o <[email protected]>

---------

Signed-off-by: fsul7o <[email protected]>

Author: fsul7o

config/config.go

@@ -279,7 +279,7 @@ type AccessToken struct {
 	// CertOffsetDuration represents the certificate issue time offset when comparing with the issue time of the access token. (for usecase: new cert + old token)
 	CertOffsetDuration string `yaml:"certOffsetDuration"`
 
-	// AccessTokenAuthHeader represents the request header key for extracting the access token. (gRPC only, Not supported in HTTP)
+	// AccessTokenAuthHeader represents the request header key for extracting the access token.
 	AccessTokenAuthHeader string `yaml:"accessTokenAuthHeader"`
 }
 

config/config_test.go

@@ -213,8 +213,9 @@ func TestNew(t *testing.T) {
 							"common_name1": {"client_id1", "client_id2"},
 							"common_name2": {"client_id1", "client_id2"},
 						},
-						CertBackdateDuration: "1h",
-						CertOffsetDuration:   "1h",
+						CertBackdateDuration:  "1h",
+						CertOffsetDuration:    "1h",
+						AccessTokenAuthHeader: "Authorization",
 					},
 					RoleToken: RoleToken{
 						Enable:         true,

go.mod

@@ -4,7 +4,7 @@ go 1.25.3
 
 replace (
 	cloud.google.com/go => cloud.google.com/go v0.123.0
-	github.com/AthenZ/athenz-authorizer/v5 => github.com/AthenZ/athenz-authorizer/v5 v5.7.0
+	github.com/AthenZ/athenz-authorizer/v5 => github.com/AthenZ/athenz-authorizer/v5 v5.8.0
 	github.com/kpango/gache/v2 => github.com/kpango/gache/v2 v2.1.1
 	github.com/kpango/glg => github.com/kpango/glg v1.6.15
 	github.com/mwitkow/grpc-proxy => github.com/mwitkow/grpc-proxy v0.0.0-20250813121105-2866842de9a5
@@ -53,7 +53,6 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/kpango/fastime v1.1.10 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.4 // indirect
 	github.com/lestrrat-go/dsig v1.0.0 // indirect
 	github.com/lestrrat-go/dsig-secp256k1 v1.0.0 // indirect
@@ -82,7 +81,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.8.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
-	golang.org/x/crypto v0.43.0 // indirect
 	golang.org/x/net v0.46.0 // indirect
 	golang.org/x/sys v0.37.0 // indirect
 	golang.org/x/text v0.30.0 // indirect

go.sum

@@ -121,6 +121,7 @@ authorization:
         - client_id2
     certBackdateDuration: 1h
     certOffsetDuration: 1h
+    accessTokenAuthHeader: Authorization
   roleToken:
     enable: true
     roleAuthHeader: Athenz-Role-Auth

test/data/example_config.yaml

@@ -271,6 +271,9 @@ func newAuthzD(cfg config.Config) (service.Authorizationd, error) {
 	var atOpts []authorizerd.Option
 	var jwkOpts []authorizerd.Option
 	if authzCfg.AccessToken.Enable {
+		if authzCfg.AccessToken.AccessTokenAuthHeader == "" {
+			authzCfg.AccessToken.AccessTokenAuthHeader = "Authorization"
+		}
 		atOpts = []authorizerd.Option{
 			authorizerd.WithAccessTokenParam(
 				authorizerd.NewAccessTokenParam(
@@ -280,6 +283,7 @@ func newAuthzD(cfg config.Config) (service.Authorizationd, error) {
 					authzCfg.AccessToken.CertOffsetDuration,
 					authzCfg.AccessToken.VerifyClientID,
 					authzCfg.AccessToken.AuthorizedClientIDs,
+					authzCfg.AccessToken.AccessTokenAuthHeader,
 				),
 			),
 		}
@@ -300,6 +304,7 @@ func newAuthzD(cfg config.Config) (service.Authorizationd, error) {
 					"0h",
 					false,
 					nil,
+					"",
 				),
 			),
 		}

usecase/authz_proxyd.go

@@ -1054,6 +1054,60 @@ func Test_newAuthzD(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "test success access token enable with custom AccessTokenAuthHeader",
+			args: args{
+				cfg: config.Config{
+					Authorization: config.Authorization{
+						PublicKey: config.PublicKey{
+							SysAuthDomain:   "10s",
+							ETagExpiry:      "10s",
+							ETagPurgePeriod: "10s",
+						},
+						Policy: config.Policy{
+							ExpiryMargin:  "10s",
+							RefreshPeriod: "10s",
+							PurgePeriod:   "10s",
+						},
+						AccessToken: config.AccessToken{
+							Enable:                true,
+							AccessTokenAuthHeader: "X-Auth-Token",
+						},
+					},
+					Athenz: config.Athenz{
+						URL: "dummy-athenz-url",
+					},
+				},
+			},
+			want: true,
+		},
+		{
+			name: "test success access token enable with empty AccessTokenAuthHeader defaults to Authorization",
+			args: args{
+				cfg: config.Config{
+					Authorization: config.Authorization{
+						PublicKey: config.PublicKey{
+							SysAuthDomain:   "10s",
+							ETagExpiry:      "10s",
+							ETagPurgePeriod: "10s",
+						},
+						Policy: config.Policy{
+							ExpiryMargin:  "10s",
+							RefreshPeriod: "10s",
+							PurgePeriod:   "10s",
+						},
+						AccessToken: config.AccessToken{
+							Enable:                true,
+							AccessTokenAuthHeader: "",
+						},
+					},
+					Athenz: config.Athenz{
+						URL: "dummy-athenz-url",
+					},
+				},
+			},
+			want: true,
+		},
 		{
 			name: "test success policy disable",
 			args: args{