Allow specifying additional headers for the oauth introspection reque…

…st (#302)
ory · Nov 25, 2019 · b1e5cea · b1e5cea
1 parent 98c9bf8
commit b1e5cea
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 10 deletions.
diff --git a/.schemas/config.schema.json b/.schemas/config.schema.json
@@ -468,6 +468,11 @@
             "type": "string"
           }
         },
+        "introspection_request_headers": {
+          "title": "Introspection Request Headers",
+          "description": "Additional headers to be added to the introspection request.",
+          "type": "object"
+        },
         "token_from": {
           "title": "Token From",
           "description": "The location of the token.\n If not configured, the token will be received from a default location - 'Authorization' header.\n One and only one location (header or query) must be specified.",
@@ -1242,4 +1247,4 @@
   },
   "required": [],
   "additionalProperties": false
-}
+}
diff --git a/pipeline/authn/authenticator_oauth2_introspection.go b/pipeline/authn/authenticator_oauth2_introspection.go
@@ -20,13 +20,14 @@ import (
 )
 
 type AuthenticatorOAuth2IntrospectionConfiguration struct {
-	Scopes              []string                                              `json:"required_scope"`
-	Audience            []string                                              `json:"target_audience"`
-	Issuers             []string                                              `json:"trusted_issuers"`
-	PreAuth             *AuthenticatorOAuth2IntrospectionPreAuthConfiguration `json:"pre_authorization"`
-	ScopeStrategy       string                                                `json:"scope_strategy"`
-	IntrospectionURL    string                                                `json:"introspection_url"`
-	BearerTokenLocation *helper.BearerTokenLocation                           `json:"token_from"`
+	Scopes                      []string                                              `json:"required_scope"`
+	Audience                    []string                                              `json:"target_audience"`
+	Issuers                     []string                                              `json:"trusted_issuers"`
+	PreAuth                     *AuthenticatorOAuth2IntrospectionPreAuthConfiguration `json:"pre_authorization"`
+	ScopeStrategy               string                                                `json:"scope_strategy"`
+	IntrospectionURL            string                                                `json:"introspection_url"`
+	BearerTokenLocation         *helper.BearerTokenLocation                           `json:"token_from"`
+	IntrospectionRequestHeaders map[string]string                                     `json:"introspection_request_headers"`
 }
 
 type AuthenticatorOAuth2IntrospectionPreAuthConfiguration struct {
@@ -77,7 +78,16 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, config
 	}
 
 	body := url.Values{"token": {token}, "scope": {strings.Join(cf.Scopes, " ")}}
-	resp, err := a.client.Post(cf.IntrospectionURL, "application/x-www-form-urlencoded", strings.NewReader(body.Encode()))
+	introspectReq, err := http.NewRequest(http.MethodPost, cf.IntrospectionURL, strings.NewReader(body.Encode()))
+	if err != nil {
+		return nil, errors.WithStack(err)
+	}
+	for key, value := range cf.IntrospectionRequestHeaders {
+		introspectReq.Header.Set(key, value)
+	}
+	// set/override the content-type header
+	introspectReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	resp, err := a.client.Do(introspectReq)
 	if err != nil {
 		return nil, errors.WithStack(err)
 	}
@@ -96,7 +106,7 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, config
 	}
 
 	if !i.Active {
-		return nil, errors.WithStack(helper.ErrForbidden.WithReason("Access token i says token is not active"))
+		return nil, errors.WithStack(helper.ErrUnauthorized.WithReason("Access token i says token is not active"))
 	}
 
 	for _, audience := range cf.Audience {