introspect with org_ctx when Edisp-Org-Id is set

philips-forks · Jan 17, 2023 · 4430b2f · 4430b2f
1 parent 65bdb08
commit 4430b2f
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 9 deletions.
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -794,7 +794,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	err = p.enrichSessionState(req.Context(), session)
+	err = p.enrichSessionState(req.Context(), session, req.Header)
 	if err != nil {
 		logger.Errorf("Error creating session during OAuth2 callback: %v", err)
 		p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
@@ -860,7 +860,7 @@ func (p *OAuthProxy) redeemCode(req *http.Request) (*sessionsapi.SessionState, e
 	return s, nil
 }
 
-func (p *OAuthProxy) enrichSessionState(ctx context.Context, s *sessionsapi.SessionState) error {
+func (p *OAuthProxy) enrichSessionState(ctx context.Context, s *sessionsapi.SessionState, headers map[string][]string) error {
 	var err error
 	if s.Email == "" {
 		// TODO(@NickMeves): Remove once all provider are updated to implement EnrichSession
@@ -871,7 +871,8 @@ func (p *OAuthProxy) enrichSessionState(ctx context.Context, s *sessionsapi.Sess
 		}
 	}
 
-	return p.provider.EnrichSession(ctx, s)
+	ctxWithHeaders := context.WithValue(ctx, "headers", headers)
+	return p.provider.EnrichSession(ctxWithHeaders, s)
 }
 
 // AuthOnly checks whether the user is currently logged in (both authentication

diff --git a/oauthproxy_test.go b/oauthproxy_test.go
@@ -470,7 +470,7 @@ func Test_enrichSession(t *testing.T) {
 				t.Fatal(err)
 			}
 
-			err = proxy.enrichSessionState(context.Background(), tc.session)
+			err = proxy.enrichSessionState(context.Background(), tc.session, nil)
 			assert.NoError(t, err)
 			assert.Equal(t, tc.expectedUser, tc.session.User)
 			assert.Equal(t, tc.expectedEmail, tc.session.Email)
@@ -1654,7 +1654,8 @@ func (st *SignatureTest) Close() {
 
 // fakeNetConn simulates an http.Request.Body buffer that will be consumed
 // when it is read by the hmacauth.HmacAuth if not handled properly. See:
-//   https://github.com/18F/hmacauth/pull/4
+//
+//	https://github.com/18F/hmacauth/pull/4
 type fakeNetConn struct {
 	reqBody string
 }

diff --git a/providers/oidc.go b/providers/oidc.go
@@ -128,13 +128,21 @@ func (p *OIDCProvider) enrichFromIntrospectURL(ctx context.Context, s *sessions.
 	params := url.Values{}
 	params.Add("token", s.AccessToken)
 	basicAuth := b64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%s:%s", p.ClientID, clientSecret)))
-	result := requests.New(p.IntrospectURL.String()).
+	request := requests.New(p.IntrospectURL.String()).
 		WithContext(ctx).
 		WithMethod("POST").
-		WithBody(bytes.NewBufferString(params.Encode())).
 		SetHeader("Authorization", fmt.Sprintf("Basic %s", basicAuth)).
-		SetHeader("Content-Type", "application/x-www-form-urlencoded").
-		Do()
+		SetHeader("Content-Type", "application/x-www-form-urlencoded")
+
+	var v, ok = ctx.Value("headers").(map[string][]string)
+	if ok {
+		orgctx, ok := v["Edisp-Org-Id"]
+		if ok {
+			params.Add("org_ctx", orgctx[0])
+		}
+	}
+	request = request.WithBody(bytes.NewBufferString(params.Encode()))
+	result := request.Do()
 
 	if result.StatusCode() != http.StatusOK {
 		return fmt.Errorf("error while requesting introspect claims, status code - %d", result.StatusCode())