From 955eadfd7f08f7e30e0fed14f77326abb31e8635 Mon Sep 17 00:00:00 2001
From: Paul Davis <paul@dangersalad.com>
Date: Tue, 19 Nov 2019 02:34:28 -0700
Subject: [PATCH] ok: Document cookie and additional headers for introspection
 (#227)

Related to ory/oathkeeper#301 and ory/oathkeeper#302
---
 docs/oathkeeper/pipeline/authn.md | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/docs/oathkeeper/pipeline/authn.md b/docs/oathkeeper/pipeline/authn.md
index c48a9c48c..beee9596d 100644
--- a/docs/oathkeeper/pipeline/authn.md
+++ b/docs/oathkeeper/pipeline/authn.md
@@ -440,14 +440,19 @@ was granted the requested scope.
     2.0 Client Credentials Grant will be performed.
 - `token_from` (object, optional) - The location of the bearer token. If not
   configured, the token will be received from a default location -
-  'Authorization' header. One and only one location (header or query) must be
+  'Authorization' header. One and only one location (header, query, or cookie) must be
   specified.
   - `header` (string, required, one of) - The header (case insensitive) that
     must contain a Bearer token for request authentication. It can't be set
-    along with query_parameter.
+    along with `query_parameter` or `cookie`.
   - `query_parameter` (string, required, one of) - The query parameter (case
     sensitive) that must contain a Bearer token for request authentication. It
-    can't be set along with header.
+    can't be set along with `header` or `cookie`.
+  - `cookie` (string, required, one of) - The cookie (case sensitive)
+    that must contain a Bearer token for request authentication. It
+    can't be set along with `header` or `query_parameter`
+- `introspection_request_headers` (object, optional) - Additional headers
+  to add to the introspection request
 
 ```yaml
 # Global configuration file oathkeeper.yml
@@ -473,6 +478,10 @@ authenticators:
         header: Custom-Authorization-Header
         # or
         # query_parameter: auth-token
+        # or
+        # cookie: auth-token
+      introspection_request_headers:
+        x-forwarded-proto: https
 ```
 
 ```yaml
@@ -499,6 +508,11 @@ authenticators:
         query_parameter: auth-token
         # or
         # header: Custom-Authorization-Header
+        # or
+        # cookie: auth-token
+      introspection_request_headers:
+        x-forwarded-proto: https
+        x-foo: bar
 ```
 
 ### Access Rule Example