traefik-forward-auth
traefik-forward-auth copied to clipboard
thomseddon
Add AccessToken in response headers
I need to do a collateral call to google APIs from my backend to get additional information about the user (full name, profile picture, team, ...). For that, I need to have the access token. Unfortunately, now I only have access to the user's email.
A solution could be to return the access token in the header key X-Forwarded-AccessToken but I think we will have to manage when the access token expires and refresh it with the refresh_token provided by Google. I am not sure the current implementation allows us to easily do that.
What do you think about this?
Hmm, to be honest, if you're going to the extent of working against the Google APIs then at that point, I think that this use case may actually be best served by created a forward authentication endpoint in your own application?
I'll leave this open for a while to see if there's any further support/justification but my current thinking is that this wouldn't be something we should support.
To one of our application it would be a requirement to pass the access token down to the service, hence I second this ask.
oauth2_proxy is capable of both providing the access token and refreshing the token.
Unfortunately oauth2_proxy it is not integrating so elegantly with Traefik, traefik-forward-auth would be a much nicer solution if those two would be addressed.
Okie dokie, this shouldn't cause any issues so I'm game for working on this, I'll target 2.1
I think this may be a similar request, but sorry if it's not. But how hard would it be to only authenticate certain paths based on different scopes? Or add the users scope(s) to a header or something along those lines?
Note: if this option is enabled, the access token would need to be encrypted prior to storage in the cookie
I haven't found a elegant way to ensure backwards compatibility on this yet, so I'm going to push into 2.3