Add possibility to specify claims from id token for upstream headers (#676)

Author: p53

.github/workflows/build.yml

@@ -28,6 +28,8 @@ jobs:
         uses: AbsaOSS/k3d-action@v2.4.0
         with:
           cluster-name: "testcluster"
+          with:
+            k3d-version: v5.8.3
           args: >-
             -p "8443:443@loadbalancer"
       - name: "Deploy keycloak"

docs/content/_index.md

@@ -751,7 +751,7 @@ option is set to `true`.
 
 ## Custom claim headers
 
-You can inject additional claims from the access token into the
+You can inject additional claims from the access token and from version 4.6.0 also from ID token into the
 upstream headers with the `--add-claims` option. For example, a
 token from a Keycloak provider might include the following
 claims:

docs/content/configuration/_index.md

@@ -157,6 +157,7 @@ weight: 2
 |    \--enable-logout-auth                     | enable authentication on logout handler | true | PROXY_ENABLE_LOGOUT_AUTH
 |    \--enable-request-upstream-compression    | enables asking upstream for compression, by adding Accept-Encoding: gzip header and decompressing response from upstream | true | PROXY_ENABLE_REQUEST_UPSTREAM_COMPRESSION
 |    \--enable-accept-encoding-header          | pass Accept-Encoding header from client to upstream | false | PROXY_ENABLE_ACCEPT_ENCODING_HEADER
+|    \--enable-id-token-claims                 | extract claims also from ID token, you can then use --add-claims option to specify claims from ID token | false | PROXY_ENABLE_ID_TOKEN_CLAIMS
 |    \--enable-loa                             | enable level of authentication            | false |
 |    \--enable-store-ha                        | enable RedisCluster HA client             | false | PROXY_ENABLE_STORE_HA
 |    \--disable-all-logging                    | disables all logging to stdout and stderr | false | PROXY_DISABLE_ALL_LOGGING

e2e/e2e_test.go

@@ -591,6 +591,9 @@ var _ = Describe("Code Flow login/logout", func() {
 			"--post-login-redirect-path=" + postLoginRedirectPath,
 			"--enable-register-handler=true",
 			"--enable-encrypted-token=false",
+			"--enable-id-token-claims=true",
+			"--enable-id-token-cookie=true",
+			"--add-claims=email_verified",
 			"--enable-pkce=false",
 			"--tls-cert=" + tlsCertificate,
 			"--tls-private-key=" + tlsPrivateKey,
@@ -650,8 +653,9 @@ var _ = Describe("Code Flow login/logout", func() {
 				Expect(err).NotTo(HaveOccurred())
 				Expect(resp.Header().Get("Proxy-Accepted")).To(Equal("true"))
 				body = resp.Body()
-				Expect(strings.Contains(string(body), anyURI)).To(BeTrue())
 				Expect(resp.StatusCode()).To(Equal(http.StatusOK))
+				Expect(strings.Contains(string(body), anyURI)).To(BeTrue())
+				Expect(body).To(ContainSubstring("X-Auth-Email-Verified"))
 
 				By("log out")
 				resp, err = rClient.R().Get(proxyAddress + logoutURI)

e2e/k8s/manifest.yml

@@ -1011,7 +1011,7 @@ data:
                 "userinfo.token.claim": "true",
                 "user.attribute": "emailVerified",
                 "id.token.claim": "true",
-                "access.token.claim": "true",
+                "access.token.claim": "false",
                 "claim.name": "email_verified",
                 "jsonType.label": "boolean"
               }

pkg/apperrors/apperrors.go

@@ -61,6 +61,7 @@ var (
 	ErrDecryptTokenSignature          = errors.New("unable to decrypt token signature")
 	ErrDecompressToken                = errors.New("unable to decompress token")
 	ErrDecryptAndDecompressToken      = errors.New("unable to decrypt and decompress token")
+	ErrExtractIDTokenClaims           = errors.New("problem extracting idToken claims")
 
 	ErrDelTokFromStore = errors.New("failed to remove old token")
 	ErrSaveTokToStore  = errors.New("failed to store refresh token")
@@ -252,4 +253,5 @@ var (
 	ErrNegativeisPatRetryCount          = errors.New("pat retry count must be greater than zero")
 	ErrEnableTokenCompression           = errors.New("cannot enable token compression " +
 		"with optional token encryption")
+	ErrEnableIDTokenClaims = errors.New("enable id token claims requires also enable-id-token-cookie option")
 )

pkg/keycloak/config/config.go

@@ -200,6 +200,7 @@ type Config struct {
 	EnableLogoutAuth                   bool `env:"ENABLE_LOGOUT_AUTH" json:"enable-logout-auth" usage:"enable authentication on logout handler" yaml:"enable-logout-auth"`
 	EnableRequestUpstreamCompression   bool `env:"ENABLE_REQUEST_UPSTREAM_COMPRESSION" json:"enable-request-upstream-compression" usage:"enables asking upstream for compression, by adding Accept-Encoding: gzip header and decompressing response from upstream" yaml:"enable-request-upstream-compression"`
 	EnableAcceptEncodingHeader         bool `env:"ENABLE_ACCEPT_ENCODING_HEADER" json:"enable-accept-encoding-header" usage:"pass Accept-Encoding header from client to upstream" yaml:"enable-accept-encoding-header"`
+	EnableIDTokenClaims                bool `env:"ENABLE_ID_TOKEN_CLAIMS" json:"enable-id-token-claims" usage:"extract claims also from id token, you can then use --add-claims option to specify claims from id token" yaml:"enable-id-token-claims"`
 	IsDiscoverURILegacy                bool
 }
 
@@ -658,6 +659,7 @@ func (r *Config) isReverseProxySettingsValid() error {
 			r.isEnableXForwardedHeadersValid,
 			r.isEnableOptionalEncryptionValid,
 			r.isEnableLogoutAuthValid,
+			r.isEnableIDTokenClaimsValid,
 		}
 
 		for _, validationFunc := range validationRegistry {
@@ -1168,3 +1170,11 @@ func (r *Config) isEnableCompressTokenValid() error {
 
 	return nil
 }
+
+func (r *Config) isEnableIDTokenClaimsValid() error {
+	if r.EnableIDTokenClaims && !r.EnableIDTokenCookie {
+		return apperrors.ErrEnableIDTokenClaims
+	}
+
+	return nil
+}

pkg/keycloak/config/config_test.go

@@ -3380,3 +3380,52 @@ func TestIsEnableCompressTokenValid(t *testing.T) {
 		)
 	}
 }
+
+func TestIsEnableIDTokenClaimsValid(t *testing.T) {
+	testCases := []struct {
+		Name   string
+		Config *Config
+		Valid  bool
+	}{
+		{
+			Name: "ValidEnableIDTokenClaims",
+			Config: &Config{
+				EnableIDTokenClaims: true,
+				EnableIDTokenCookie: true,
+			},
+			Valid: true,
+		},
+		{
+			Name: "ValidDisabledEnableIDTokenClaims",
+			Config: &Config{
+				EnableIDTokenClaims: false,
+				EnableIDTokenCookie: false,
+			},
+			Valid: true,
+		},
+		{
+			Name: "InValidEnableIDTokenClaimsValid",
+			Config: &Config{
+				EnableIDTokenClaims: true,
+				EnableIDTokenCookie: false,
+			},
+			Valid: false,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(
+			testCase.Name,
+			func(t *testing.T) {
+				err := testCase.Config.isEnableIDTokenClaimsValid()
+				if err != nil && testCase.Valid {
+					t.Fatalf("Expected test not to fail")
+				}
+
+				if err == nil && !testCase.Valid {
+					t.Fatalf("Expected test to fail")
+				}
+			},
+		)
+	}
+}

pkg/keycloak/proxy/server.go

@@ -563,6 +563,7 @@ func (r *OauthProxy) CreateReverseProxy() error {
 		r.Config.AccessTokenDuration,
 		r.Config.EnableOptionalEncryption,
 		r.Config.EnableCompressToken,
+		r.Config.EnableIDTokenClaims,
 		compressTokenPool,
 	)
 
@@ -856,6 +857,7 @@ func (r *OauthProxy) CreateReverseProxy() error {
 			r.Config.EnableAuthorizationHeader,
 			r.Config.EnableAuthorizationCookies,
 			r.Config.EnableHeaderEncoding,
+			r.Config.EnableIDTokenClaims,
 		)
 
 		middlewares := []func(http.Handler) http.Handler{

pkg/proxy/middleware/base.go

@@ -226,6 +226,7 @@ func IdentityHeadersMiddleware(
 	enableAuthzHeader bool,
 	enableAuthzCookies bool,
 	enableHeaderEncoding bool,
+	enableIDTokenClaims bool,
 ) func(http.Handler) http.Handler {
 	customClaims := make(map[string]string)
 
@@ -305,6 +306,17 @@ func IdentityHeadersMiddleware(
 
 						headers.Set(header, val)
 					}
+
+					if enableIDTokenClaims {
+						if claim, found := user.IDTokenClaims[claim]; found {
+							val := fmt.Sprintf("%v", claim)
+							if enableHeaderEncoding {
+								val = mime.BEncoding.Encode(encoding, val)
+							}
+
+							headers.Set(header, val)
+						}
+					}
 				}
 			}