Merge 6731fdaac5 into 9168731c7a

2025-09-30 19:05:02 +00:00 · 2025-09-30 19:05:02 +00:00 · 96fca5de70
parent 9168731c7a 6731fdaac5
commit 96fca5de70
6 changed files with 204 additions and 24 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,8 @@

 ## Changes since v7.12.0

+- [#3217](https://github.com/oauth2-proxy/oauth2-proxy/pull/3217) feat: add --pass-refresh-token (@carillonator)
+
 # V7.12.0

 ## Release Highlights
@ -119,7 +121,7 @@ For detailed information, migration guidance, and security implications, see the
 - 🕵️‍♀️ Vulnerabilities have been addressed
  - [CVE-2025-22871](https://github.com/advisories/GHSA-g9pc-8g42-g6vq)
 - 🐛 Squashed some bugs
-  
+
 ## Important Notes

 ## Breaking Changes
--- a/contrib/oauth2-proxy.cfg.example
+++ b/contrib/oauth2-proxy.cfg.example
@ -59,6 +59,9 @@
 ## Pass OAuth Access token to upstream via "X-Forwarded-Access-Token"
 # pass_access_token = false

+## Pass OAuth Refresh token to upstream via "X-Forwarded-Refresh-Token"
+# pass_refresh_token = false
+
 ## Authenticated Email Addresses File (one email per line)
 # authenticated_emails_file = ""

--- a/docs/docs/configuration/overview.md
+++ b/docs/docs/configuration/overview.md
@ -143,6 +143,7 @@ Provider specific options can be found on their respective subpages.
 | flag: `--set-basic-auth`<br/>toml: `set_basic_auth`                       | bool   | set HTTP Basic Auth information in response (useful in Nginx auth_request mode)                                                                                                                                                                                  | false   |
 | flag: `--skip-auth-strip-headers`<br/>toml: `skip_auth_strip_headers`     | bool   | strips `X-Forwarded-*` style authentication headers & `Authorization` header if they would be set by oauth2-proxy                                                                                                                                                | true    |
 | flag: `--pass-access-token`<br/>toml: `pass_access_token`                 | bool   | pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with `--set-xauthrequest` this adds the X-Auth-Request-Access-Token header to the response                                                                                    | false   |
+| flag: `--pass-refresh-token`<br/>toml: `pass_refresh_token`               | bool   | pass OAuth refresh_token to upstream via X-Forwarded-Refresh-Token header                                                                                                                                                                                        | false   |
 | flag: `--pass-authorization-header`<br/>toml: `pass_authorization_header` | bool   | pass OIDC IDToken to upstream via Authorization Bearer header                                                                                                                                                                                                    | false   |
 | flag: `--pass-basic-auth`<br/>toml: `pass_basic_auth`                     | bool   | pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream                                                                                                                                             | true    |
 | flag: `--prefer-email-to-user`<br/>toml: `prefer_email_to_user`           | bool   | Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with `--pass-basic-auth` and `--pass-user-headers`                       | false   |
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@ -99,6 +99,19 @@ func (tp *TestProvider) GetEmailAddress(_ context.Context, _ *sessions.SessionSt
 	return tp.EmailAddress, nil
 }

+func (tp *TestProvider) Redeem(ctx context.Context, redirectURL, code, codeVerifier string) (*sessions.SessionState, error) {
+	// Call the parent Redeem to get the basic session with access_token
+	session, err := tp.ProviderData.Redeem(ctx, redirectURL, code, codeVerifier)
+	if err != nil {
+		return nil, err
+	}
+
+	session.RefreshToken = "my_refresh_token"
+	session.IDToken = "my_id_token"
+
+	return session, nil
+}
+
 func (tp *TestProvider) ValidateSession(_ context.Context, _ *sessions.SessionState) bool {
 	return tp.ValidToken
 }
@ -313,20 +326,22 @@ func TestPassGroupsHeadersWithGroups(t *testing.T) {
 	assert.Equal(t, []string{"a,b"}, req.Header["X-Forwarded-Groups"])
 }

-type PassAccessTokenTest struct {
+type PassTokensTest struct {
 	providerServer *httptest.Server
 	proxy          *OAuthProxy
 	opts           *options.Options
 }

-type PassAccessTokenTestOptions struct {
-	PassAccessToken bool
-	ValidToken      bool
-	ProxyUpstream   options.Upstream
+type PassTokensTestOptions struct {
+	PassAccessToken   bool
+	PassRefreshToken  bool
+	PassAuthorization bool
+	ValidToken        bool
+	ProxyUpstream     options.Upstream
 }

-func NewPassAccessTokenTest(opts PassAccessTokenTestOptions) (*PassAccessTokenTest, error) {
-	patt := &PassAccessTokenTest{}
+func NewPassTokensTest(opts PassTokensTestOptions) (*PassTokensTest, error) {
+	patt := &PassTokensTest{}

 	patt.providerServer = httptest.NewServer(
 		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@ -334,6 +349,16 @@ func NewPassAccessTokenTest(opts PassAccessTokenTestOptions) (*PassAccessTokenTe
 			switch r.URL.Path {
 			case "/oauth/token":
 				payload = `{"access_token": "my_auth_token"}`
+			case "/refresh":
+				payload = r.Header.Get("X-Forwarded-Refresh-Token")
+				if payload == "" {
+					payload = "No refresh token found."
+				}
+			case "/authorization":
+				payload = r.Header.Get("Authorization")
+				if payload == "" {
+					payload = "No ID token found."
+				}
 			default:
 				payload = r.Header.Get("X-Forwarded-Access-Token")
 				if payload == "" {
@ -362,21 +387,49 @@ func NewPassAccessTokenTest(opts PassAccessTokenTestOptions) (*PassAccessTokenTe
 	}

 	patt.opts.Cookie.Secure = false
+	headers := []options.Header{}
 	if opts.PassAccessToken {
-		patt.opts.InjectRequestHeaders = []options.Header{
-			{
-				Name: "X-Forwarded-Access-Token",
-				Values: []options.HeaderValue{
-					{
-						ClaimSource: &options.ClaimSource{
-							Claim: "access_token",
-						},
+		headers = append(headers, options.Header{
+			Name: "X-Forwarded-Access-Token",
+			Values: []options.HeaderValue{
+				{
+					ClaimSource: &options.ClaimSource{
+						Claim: "access_token",
 					},
 				},
 			},
-		}
+		})
 	}

+	if opts.PassRefreshToken {
+		headers = append(headers, options.Header{
+			Name: "X-Forwarded-Refresh-Token",
+			Values: []options.HeaderValue{
+				{
+					ClaimSource: &options.ClaimSource{
+						Claim: "refresh_token",
+					},
+				},
+			},
+		})
+	}
+
+	if opts.PassAuthorization {
+		headers = append(headers, options.Header{
+			Name: "Authorization",
+			Values: []options.HeaderValue{
+				{
+					ClaimSource: &options.ClaimSource{
+						Claim:  "id_token",
+						Prefix: "Bearer ",
+					},
+				},
+			},
+		})
+	}
+
+	patt.opts.InjectRequestHeaders = headers
+
 	err := validation.Validate(patt.opts)
 	if err != nil {
 		return nil, err
@ -397,11 +450,11 @@ func NewPassAccessTokenTest(opts PassAccessTokenTestOptions) (*PassAccessTokenTe
 	return patt, nil
 }

-func (patTest *PassAccessTokenTest) Close() {
+func (patTest *PassTokensTest) Close() {
 	patTest.providerServer.Close()
 }

-func (patTest *PassAccessTokenTest) getCallbackEndpoint() (httpCode int, cookie string) {
+func (patTest *PassTokensTest) getCallbackEndpoint() (httpCode int, cookie string) {
 	rw := httptest.NewRecorder()

 	csrf, err := cookies.NewCSRF(patTest.proxy.CookieOptions, "")
@ -439,7 +492,7 @@ func (patTest *PassAccessTokenTest) getCallbackEndpoint() (httpCode int, cookie

 // getEndpointWithCookie makes a requests againt the oauthproxy with passed requestPath
 // and cookie and returns body and status code.
-func (patTest *PassAccessTokenTest) getEndpointWithCookie(cookie string, endpoint string) (httpCode int, accessToken string) {
+func (patTest *PassTokensTest) getEndpointWithCookie(cookie string, endpoint string) (httpCode int, accessToken string) {
 	cookieName := patTest.proxy.CookieOptions.Name
 	var value string
 	keyPrefix := cookieName + "="
@ -473,7 +526,7 @@ func (patTest *PassAccessTokenTest) getEndpointWithCookie(cookie string, endpoin
 }

 func TestForwardAccessTokenUpstream(t *testing.T) {
-	patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
+	patTest, err := NewPassTokensTest(PassTokensTestOptions{
 		PassAccessToken: true,
 		ValidToken:      true,
 	})
@ -499,8 +552,64 @@ func TestForwardAccessTokenUpstream(t *testing.T) {
 	assert.Equal(t, "my_auth_token", payload)
 }

+func TestForwardRefreshTokenUpstream(t *testing.T) {
+	patTest, err := NewPassTokensTest(PassTokensTestOptions{
+		PassRefreshToken: true,
+		ValidToken:       true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(patTest.Close)
+
+	// A successful validation will redirect and set the auth cookie.
+	code, cookie := patTest.getCallbackEndpoint()
+	if code != 302 {
+		t.Fatalf("expected 302; got %d", code)
+	}
+	assert.NotNil(t, cookie)
+
+	// Now we make a regular request; the refresh_token from the cookie is
+	// forwarded as the "X-Forwarded-Refresh-Token" header. The token is
+	// read by the test provider server and written in the response body.
+	code, payload := patTest.getEndpointWithCookie(cookie, "/refresh")
+	if code != 200 {
+		t.Fatalf("expected 200; got %d", code)
+	}
+	assert.Equal(t, "my_refresh_token", payload)
+}
+
+func TestForwardIDTokenUpstream(t *testing.T) {
+	patTest, err := NewPassTokensTest(PassTokensTestOptions{
+		PassAuthorization: true,
+		PassAccessToken:   true,
+		PassRefreshToken:  true,
+		ValidToken:        true,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(patTest.Close)
+
+	// A successful validation will redirect and set the auth cookie.
+	code, cookie := patTest.getCallbackEndpoint()
+	if code != 302 {
+		t.Fatalf("expected 302; got %d", code)
+	}
+	assert.NotNil(t, cookie)
+
+	// Now we make a regular request; the id_token from the cookie is
+	// forwarded as the "Authorization" header with Bearer prefix. The token is
+	// read by the test provider server and written in the response body.
+	code, payload := patTest.getEndpointWithCookie(cookie, "/authorization")
+	if code != 200 {
+		t.Fatalf("expected 200; got %d", code)
+	}
+	assert.Equal(t, "Bearer my_id_token", payload)
+}
+
 func TestStaticProxyUpstream(t *testing.T) {
-	patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
+	patTest, err := NewPassTokensTest(PassTokensTestOptions{
 		PassAccessToken: true,
 		ValidToken:      true,
 		ProxyUpstream: options.Upstream{
@ -531,7 +640,7 @@ func TestStaticProxyUpstream(t *testing.T) {
 }

 func TestDoNotForwardAccessTokenUpstream(t *testing.T) {
-	patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
+	patTest, err := NewPassTokensTest(PassTokensTestOptions{
 		PassAccessToken: false,
 		ValidToken:      true,
 	})
@ -557,7 +666,7 @@ func TestDoNotForwardAccessTokenUpstream(t *testing.T) {
 }

 func TestSessionValidationFailure(t *testing.T) {
-	patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
+	patTest, err := NewPassTokensTest(PassTokensTestOptions{
 		ValidToken: false,
 	})
 	require.NoError(t, err)
--- a/pkg/apis/options/legacy_options.go
+++ b/pkg/apis/options/legacy_options.go
@ -194,6 +194,7 @@ func (l *LegacyUpstreams) convert() (UpstreamConfig, error) {
 type LegacyHeaders struct {
 	PassBasicAuth     bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
 	PassAccessToken   bool `flag:"pass-access-token" cfg:"pass_access_token"`
+	PassRefreshToken  bool `flag:"pass-refresh-token" cfg:"pass_refresh_token"`
 	PassUserHeaders   bool `flag:"pass-user-headers" cfg:"pass_user_headers"`
 	PassAuthorization bool `flag:"pass-authorization-header" cfg:"pass_authorization_header"`

@ -211,6 +212,7 @@ func legacyHeadersFlagSet() *pflag.FlagSet {

 	flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
 	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
+	flagSet.Bool("pass-refresh-token", false, "pass OAuth refresh_token to upstream via X-Forwarded-Refresh-Token header")
 	flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream")
 	flagSet.Bool("pass-authorization-header", false, "pass the Authorization Header to upstream")

@ -248,6 +250,10 @@ func (l *LegacyHeaders) getRequestHeaders() []Header {
 		requestHeaders = append(requestHeaders, getPassAccessTokenHeader())
 	}

+	if l.PassRefreshToken {
+		requestHeaders = append(requestHeaders, getPassRefreshTokenHeader())
+	}
+
 	if l.PassAuthorization {
 		requestHeaders = append(requestHeaders, getAuthorizationHeader())
 	}
@ -368,6 +374,19 @@ func getPassAccessTokenHeader() Header {
 	}
 }

+func getPassRefreshTokenHeader() Header {
+	return Header{
+		Name: "X-Forwarded-Refresh-Token",
+		Values: []HeaderValue{
+			{
+				ClaimSource: &ClaimSource{
+					Claim: "refresh_token",
+				},
+			},
+		},
+	}
+}
+
 func getAuthorizationHeader() Header {
 	return Header{
 		Name: "Authorization",
--- a/pkg/apis/options/legacy_options_test.go
+++ b/pkg/apis/options/legacy_options_test.go
@ -400,6 +400,18 @@ var _ = Describe("Legacy Options", func() {
 			},
 		}

+		xForwardedRefreshToken := Header{
+			Name:                 "X-Forwarded-Refresh-Token",
+			PreserveRequestValue: false,
+			Values: []HeaderValue{
+				{
+					ClaimSource: &ClaimSource{
+						Claim: "refresh_token",
+					},
+				},
+			},
+		}
+
 		basicAuthHeaderWithEmail := Header{
 			Name:                 "Authorization",
 			PreserveRequestValue: false,
@ -499,6 +511,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -517,6 +530,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     true,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -543,6 +557,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     true,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -569,6 +584,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     true,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -594,6 +610,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     true,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   true,
 					PassAuthorization: false,

@ -620,6 +637,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   true,
 					PassAuthorization: false,

@ -643,6 +661,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   true,
 					PassAuthorization: false,

@ -666,6 +685,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -689,6 +709,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   true,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -709,6 +730,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   true,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -735,6 +757,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   true,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: false,

@ -751,10 +774,32 @@ var _ = Describe("Legacy Options", func() {
 				},
 				expectedResponseHeaders: []Header{},
 			}),
+			Entry("with passRefreshToken", legacyHeadersTableInput{
+				legacyHeaders: &LegacyHeaders{
+					PassBasicAuth:     false,
+					PassAccessToken:   false,
+					PassRefreshToken:  true,
+					PassUserHeaders:   false,
+					PassAuthorization: false,
+
+					SetBasicAuth:     false,
+					SetXAuthRequest:  false,
+					SetAuthorization: false,
+
+					PreferEmailToUser:    false,
+					BasicAuthPassword:    "",
+					SkipAuthStripHeaders: true,
+				},
+				expectedRequestHeaders: []Header{
+					xForwardedRefreshToken,
+				},
+				expectedResponseHeaders: []Header{},
+			}),
 			Entry("with authorization headers", legacyHeadersTableInput{
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: true,

@ -777,6 +822,7 @@ var _ = Describe("Legacy Options", func() {
 				legacyHeaders: &LegacyHeaders{
 					PassBasicAuth:     false,
 					PassAccessToken:   false,
+					PassRefreshToken:  false,
 					PassUserHeaders:   false,
 					PassAuthorization: true,