MeisterLabs · martyn-meister · Oct 19, 2023 · Oct 19, 2023 · Oct 19, 2023 · Oct 19, 2023
diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md
@@ -133,6 +133,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
 | `--logging-max-size` | int | Maximum size in megabytes of the log file before rotation | 100 |
 | `--jwt-key` | string | private key in PEM format used to sign JWT, so that you can say something like `--jwt-key="${OAUTH2_PROXY_JWT_KEY}"`: required by login.gov | |
 | `--jwt-key-file` | string | path to the private key file in PEM format used to sign the JWT so that you can say something like `--jwt-key-file=/etc/ssl/private/jwt_signing_key.pem`: required by login.gov | |
+> `--jwt-auth-header` | string | alternate Authorization header for jwt, so that you can say something like `--jwt-header="X-Oauth2-proxy-Authorization"`: required for some clashes of Authorization header | "Authorization" |
 | `--login-url` | string | Authentication endpoint | |
 | `--insecure-oidc-allow-unverified-email` | bool | don't fail if an email address in an id_token is not verified | false |
 | `--insecure-oidc-skip-issuer-verification` | bool | allow the OIDC issuer URL to differ from the expected (currently required for Azure multi-tenant compatibility) | false |

diff --git a/oauthproxy.go b/oauthproxy.go
@@ -388,7 +388,7 @@ func buildSessionChain(opts *options.Options, provider providers.Provider, sessi
 				middlewareapi.CreateTokenToSessionFunc(verifier.Verify))
 		}
 
-		chain = chain.Append(middleware.NewJwtSessionLoader(sessionLoaders))
+		chain = chain.Append(middleware.NewJwtSessionLoader(sessionLoaders, opts.JWTAuthHeader))
 	}
 
 	if validator != nil {

diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go
@@ -27,6 +27,7 @@ type Options struct {
 	TrustedIPs         []string `flag:"trusted-ip" cfg:"trusted_ips"`
 	ForceHTTPS         bool     `flag:"force-https" cfg:"force_https"`
 	RawRedirectURL     string   `flag:"redirect-url" cfg:"redirect_url"`
+	JWTAuthHeader      string   `flag:"jwt-auth-header" cfg:"jwt_auth_header"`
 
 	AuthenticatedEmailsFile string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
 	EmailDomains            []string `flag:"email-domain" cfg:"email_domains"`
@@ -126,6 +127,7 @@ func NewFlagSet() *pflag.FlagSet {
 	flagSet.Bool("skip-jwt-bearer-tokens", false, "will skip requests that have verified JWT bearer tokens (default false)")
 	flagSet.Bool("force-json-errors", false, "will force JSON errors instead of HTTP error pages or redirects")
 	flagSet.StringSlice("extra-jwt-issuers", []string{}, "if skip-jwt-bearer-tokens is set, a list of extra JWT issuer=audience pairs (where the issuer URL has a .well-known/openid-configuration or a .well-known/jwks.json)")
+	flagSet.String("jwt-auth-header", "Authorization", "alternate Authorization header for jwt, so that you can say something like -jwt-header=\"X-Oauth2-proxy-Authorization\": required for some clashes of Authorization header")
 
 	flagSet.StringSlice("email-domain", []string{}, "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
 	flagSet.StringSlice("whitelist-domain", []string{}, "allowed domains for redirection after authentication. Prefix domain with a . or a *. to allow subdomains (eg .example.com, *.example.com)")

diff --git a/pkg/middleware/jwt_session.go b/pkg/middleware/jwt_session.go
@@ -15,9 +15,10 @@ import (
 
 const jwtRegexFormat = `^ey[IJ][a-zA-Z0-9_-]*\.ey[IJ][a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$`
 
-func NewJwtSessionLoader(sessionLoaders []middlewareapi.TokenToSessionFunc) alice.Constructor {
+func NewJwtSessionLoader(sessionLoaders []middlewareapi.TokenToSessionFunc, jwtAuthHeader string) alice.Constructor {
 	js := &jwtSessionLoader{
 		jwtRegex:       regexp.MustCompile(jwtRegexFormat),
+		jwtAuthHeader:  jwtAuthHeader,
 		sessionLoaders: sessionLoaders,
 	}
 	return js.loadSession
@@ -27,6 +28,7 @@ func NewJwtSessionLoader(sessionLoaders []middlewareapi.TokenToSessionFunc) alic
 // Authorization headers.
 type jwtSessionLoader struct {
 	jwtRegex       *regexp.Regexp
+	jwtAuthHeader  string
 	sessionLoaders []middlewareapi.TokenToSessionFunc
 }
 
@@ -60,7 +62,11 @@ func (j *jwtSessionLoader) loadSession(next http.Handler) http.Handler {
 // getJwtSession loads a session based on a JWT token in the authorization header.
 // (see the config options skip-jwt-bearer-tokens and extra-jwt-issuers)
 func (j *jwtSessionLoader) getJwtSession(req *http.Request) (*sessionsapi.SessionState, error) {
-	auth := req.Header.Get("Authorization")
+	authHeader := "Authorization"
+	if j.jwtAuthHeader != "" {
+		authHeader = j.jwtAuthHeader
+	}
+	auth := req.Header.Get(authHeader)
 	if auth == "" {
 		// No auth header provided, so don't attempt to load a session
 		return nil, nil

diff --git a/pkg/middleware/jwt_session_test.go b/pkg/middleware/jwt_session_test.go
@@ -114,7 +114,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
 				// Create the handler with a next handler that will capture the session
 				// from the scope
 				var gotSession *sessionsapi.SessionState
-				handler := NewJwtSessionLoader(sessionLoaders)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				handler := NewJwtSessionLoader(sessionLoaders, "Authorization")(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 					gotSession = middlewareapi.GetRequestScope(r).Session
 				}))
 				handler.ServeHTTP(rw, req)