feat: pass only essential and configured headers to authenticator (or…

…y#952) BREAKING CHANGE: From now on, the `bearer_token` and `cookie_session` handlers pass only the needed header (`Authorization`, `Cookie`) to the check URL. To pass additional headers, use the `forward_http_headers` configuration key. Closes ory#954 Closes ory/network#76 Co-authored-by: hackerman <[email protected]>
JarekKa · Jun 23, 2022 · e5e4de4 · e5e4de4
1 parent 58c7fdf
commit e5e4de4
Show file tree

Hide file tree

Showing 33 changed files with 2,155 additions and 1,258 deletions.
diff --git a/.docker_compose/config.yaml b/.docker_compose/config.yaml
@@ -26,7 +26,7 @@ mutators:
     enabled: true
     config:
       headers:
-        X-User: '{{ print .Subject }}'
+        X-User: "{{ print .Subject }}"
   noop:
     enabled: true
   id_token:

diff --git a/.github/ISSUE_TEMPLATE/BUG-REPORT.yml b/.github/ISSUE_TEMPLATE/BUG-REPORT.yml
@@ -1,17 +1,17 @@
-description: 'Create a bug report'
+description: "Create a bug report"
 labels:
   - bug
-name: 'Bug Report'
+name: "Bug Report"
 body:
   - attributes:
       value: "Thank you for taking the time to fill out this bug report!\n"
     type: markdown
   - attributes:
-      label: 'Preflight checklist'
+      label: "Preflight checklist"
       options:
         - label:
-            'I could not find a solution in the existing issues, docs, nor
-            discussions.'
+            "I could not find a solution in the existing issues, docs, nor
+            discussions."
           required: true
         - label:
             "I agree to follow this project's [Code of
@@ -22,18 +22,18 @@ body:
             Guidelines](https://github.com/ory/oathkeeper/blob/master/CONTRIBUTING.md)."
           required: true
         - label:
-            'This issue affects my [Ory Cloud](https://www.ory.sh/) project.'
+            "This issue affects my [Ory Cloud](https://www.ory.sh/) project."
         - label:
-            'I have joined the [Ory Community Slack](https://slack.ory.sh).'
+            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
-            'I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53).'
+            "I am signed up to the [Ory Security Patch
+            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
   - attributes:
-      description: 'A clear and concise description of what the bug is.'
-      label: 'Describe the bug'
-      placeholder: 'Tell us what you see!'
+      description: "A clear and concise description of what the bug is."
+      label: "Describe the bug"
+      placeholder: "Tell us what you see!"
     id: describe-bug
     type: textarea
     validations:
@@ -47,28 +47,28 @@ body:
         1. Run `docker run ....`
         2. Make API Request to with `curl ...`
         3. Request fails with response: `{"some": "error"}`
-      label: 'Reproducing the bug'
+      label: "Reproducing the bug"
     id: reproduce-bug
     type: textarea
     validations:
       required: true
   - attributes:
       description:
-        'Please copy and paste any relevant log output. This will be
+        "Please copy and paste any relevant log output. This will be
         automatically formatted into code, so no need for backticks. Please
-        redact any sensitive information'
-      label: 'Relevant log output'
+        redact any sensitive information"
+      label: "Relevant log output"
       render: shell
       placeholder: |
         log=error ....
     id: logs
     type: textarea
   - attributes:
       description:
-        'Please copy and paste any relevant configuration. This will be
+        "Please copy and paste any relevant configuration. This will be
         automatically formatted into code, so no need for backticks. Please
-        redact any sensitive information!'
-      label: 'Relevant configuration'
+        redact any sensitive information!"
+      label: "Relevant configuration"
       render: yml
       placeholder: |
         server:
@@ -77,14 +77,14 @@ body:
     id: config
     type: textarea
   - attributes:
-      description: 'What version of our software are you running?'
+      description: "What version of our software are you running?"
       label: Version
     id: version
     type: input
     validations:
       required: true
   - attributes:
-      label: 'On which operating system are you observing this issue?'
+      label: "On which operating system are you observing this issue?"
       options:
         - Ory Cloud
         - macOS
@@ -95,19 +95,19 @@ body:
     id: operating-system
     type: dropdown
   - attributes:
-      label: 'In which environment are you deploying?'
+      label: "In which environment are you deploying?"
       options:
         - Ory Cloud
         - Docker
-        - 'Docker Compose'
-        - 'Kubernetes with Helm'
+        - "Docker Compose"
+        - "Kubernetes with Helm"
         - Kubernetes
         - Binary
         - Other
     id: deployment
     type: dropdown
   - attributes:
-      description: 'Add any other context about the problem here.'
+      description: "Add any other context about the problem here."
       label: Additional Context
     id: additional
     type: textarea
diff --git a/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml b/.github/ISSUE_TEMPLATE/DESIGN-DOC.yml
@@ -1,8 +1,8 @@
 description:
-  'A design document is needed for non-trivial changes to the code base.'
+  "A design document is needed for non-trivial changes to the code base."
 labels:
   - rfc
-name: 'Design Document'
+name: "Design Document"
 body:
   - attributes:
       value: |
@@ -18,11 +18,11 @@ body:
         after code reviews, and your pull requests will be merged faster.
     type: markdown
   - attributes:
-      label: 'Preflight checklist'
+      label: "Preflight checklist"
       options:
         - label:
-            'I could not find a solution in the existing issues, docs, nor
-            discussions.'
+            "I could not find a solution in the existing issues, docs, nor
+            discussions."
           required: true
         - label:
             "I agree to follow this project's [Code of
@@ -33,18 +33,18 @@ body:
             Guidelines](https://github.com/ory/oathkeeper/blob/master/CONTRIBUTING.md)."
           required: true
         - label:
-            'This issue affects my [Ory Cloud](https://www.ory.sh/) project.'
+            "This issue affects my [Ory Cloud](https://www.ory.sh/) project."
         - label:
-            'I have joined the [Ory Community Slack](https://slack.ory.sh).'
+            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
-            'I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53).'
+            "I am signed up to the [Ory Security Patch
+            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
   - attributes:
       description: |
         This section gives the reader a very rough overview of the landscape in which the new system is being built and what is actually being built. This isn’t a requirements doc. Keep it succinct! The goal is that readers are brought up to speed but some previous knowledge can be assumed and detailed info can be linked to. This section should be entirely focused on objective background facts.
-      label: 'Context and scope'
+      label: "Context and scope"
     id: scope
     type: textarea
     validations:
@@ -53,7 +53,7 @@ body:
   - attributes:
       description: |
         A short list of bullet points of what the goals of the system are, and, sometimes more importantly, what non-goals are. Note, that non-goals aren’t negated goals like “The system shouldn’t crash”, but rather things that could reasonably be goals, but are explicitly chosen not to be goals. A good example would be “ACID compliance”; when designing a database, you’d certainly want to know whether that is a goal or non-goal. And if it is a non-goal you might still select a solution that provides it, if it doesn’t introduce trade-offs that prevent achieving the goals.
-      label: 'Goals and non-goals'
+      label: "Goals and non-goals"
     id: goals
     type: textarea
     validations:
@@ -65,7 +65,7 @@ body:
         The design doc is the place to write down the trade-offs you made in designing your software. Focus on those trade-offs to produce a useful document with long-term value. That is, given the context (facts), goals and non-goals (requirements), the design doc is the place to suggest solutions and show why a particular solution best satisfies those goals.
 
         The point of writing a document over a more formal medium is to provide the flexibility to express the problem set at hand in an appropriate manner. Because of this, there is no explicit guidance for how to actually describe the design.
-      label: 'The design'
+      label: "The design"
     id: design
     type: textarea
     validations:
@@ -74,21 +74,21 @@ body:
   - attributes:
       description: |
         If the system under design exposes an API, then sketching out that API is usually a good idea. In most cases, however, one should withstand the temptation to copy-paste formal interface or data definitions into the doc as these are often verbose, contain unnecessary detail and quickly get out of date. Instead focus on the parts that are relevant to the design and its trade-offs.
-      label: 'APIs'
+      label: "APIs"
     id: apis
     type: textarea
 
   - attributes:
       description: |
         Systems that store data should likely discuss how and in what rough form this happens. Similar to the advice on APIs, and for the same reasons, copy-pasting complete schema definitions should be avoided. Instead focus on the parts that are relevant to the design and its trade-offs.
-      label: 'Data storage'
+      label: "Data storage"
     id: persistence
     type: textarea
 
   - attributes:
       description: |
         Design docs should rarely contain code, or pseudo-code except in situations where novel algorithms are described. As appropriate, link to prototypes that show the implementability of the design.
-      label: 'Code and pseudo-code'
+      label: "Code and pseudo-code"
     id: pseudocode
     type: textarea
 
@@ -101,7 +101,7 @@ body:
         On the other end are systems where the possible solutions are very well defined, but it isn’t at all obvious how they could even be combined to achieve the goals. This may be a legacy system that is difficult to change and wasn’t designed to do what you want it to do or a library design that needs to operate within the constraints of the host programming language.
 
         In this situation you may be able to enumerate all the things you can do relatively easily, but you need to creatively put those things together to achieve the goals. There may be multiple solutions, and none of them are really great, and hence such a document should focus on selecting the best way given all identified trade-offs.
-      label: 'Degree of constraint'
+      label: "Degree of constraint"
     id: constrait
     type: textarea
 

diff --git a/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml b/.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml
@@ -1,8 +1,8 @@
 description:
-  'Suggest an idea for this project without a plan for implementation'
+  "Suggest an idea for this project without a plan for implementation"
 labels:
   - feat
-name: 'Feature Request'
+name: "Feature Request"
 body:
   - attributes:
       value: |
@@ -11,11 +11,11 @@ body:
         If you already have a plan to implement a feature or a change, please create a [design document](https://github.com/aeneasr/gh-template-test/issues/new?assignees=&labels=rfc&template=DESIGN-DOC.yml) instead if the change is non-trivial!
     type: markdown
   - attributes:
-      label: 'Preflight checklist'
+      label: "Preflight checklist"
       options:
         - label:
-            'I could not find a solution in the existing issues, docs, nor
-            discussions.'
+            "I could not find a solution in the existing issues, docs, nor
+            discussions."
           required: true
         - label:
             "I agree to follow this project's [Code of
@@ -26,18 +26,18 @@ body:
             Guidelines](https://github.com/ory/oathkeeper/blob/master/CONTRIBUTING.md)."
           required: true
         - label:
-            'This issue affects my [Ory Cloud](https://www.ory.sh/) project.'
+            "This issue affects my [Ory Cloud](https://www.ory.sh/) project."
         - label:
-            'I have joined the [Ory Community Slack](https://slack.ory.sh).'
+            "I have joined the [Ory Community Slack](https://slack.ory.sh)."
         - label:
-            'I am signed up to the [Ory Security Patch
-            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53).'
+            "I am signed up to the [Ory Security Patch
+            Newsletter](https://ory.us10.list-manage.com/subscribe?u=ffb1a878e4ec6c0ed312a3480&id=f605a41b53)."
     id: checklist
     type: checkboxes
   - attributes:
       description:
-        'Is your feature request related to a problem? Please describe.'
-      label: 'Describe your problem'
+        "Is your feature request related to a problem? Please describe."
+      label: "Describe your problem"
       placeholder:
         "A clear and concise description of what the problem is. Ex. I'm always
         frustrated when [...]"
@@ -50,28 +50,28 @@ body:
         Describe the solution you'd like
       placeholder: |
         A clear and concise description of what you want to happen.
-      label: 'Describe your ideal solution'
+      label: "Describe your ideal solution"
     id: solution
     type: textarea
     validations:
       required: true
   - attributes:
       description: "Describe alternatives you've considered"
-      label: 'Workarounds or alternatives'
+      label: "Workarounds or alternatives"
     id: alternatives
     type: textarea
     validations:
       required: true
   - attributes:
-      description: 'What version of our software are you running?'
+      description: "What version of our software are you running?"
       label: Version
     id: version
     type: input
     validations:
       required: true
   - attributes:
       description:
-        'Add any other context or screenshots about the feature request here.'
+        "Add any other context or screenshots about the feature request here."
       label: Additional Context
     id: additional
     type: textarea
diff --git a/.github/config.yml b/.github/config.yml
@@ -1,3 +1,3 @@
 todo:
-  keyword: '@todo'
+  keyword: "@todo"
   label: todo
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -38,13 +38,18 @@ If you're unsure about any of them, don't hesitate to ask. We're here to help!
 -->
 
 - [ ] I have read the [contributing guidelines](../blob/master/CONTRIBUTING.md).
-- [ ] I have referenced an issue containing the design document if my change introduces a new feature.
-- [ ] I am following the [contributing code guidelines](../blob/master/CONTRIBUTING.md#contributing-code).
+- [ ] I have referenced an issue containing the design document if my change
+      introduces a new feature.
+- [ ] I am following the
+      [contributing code guidelines](../blob/master/CONTRIBUTING.md#contributing-code).
 - [ ] I have read the [security policy](../security/policy).
-- [ ] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security.
-      vulnerability, I confirm that I got green light (please contact [[email protected]](mailto:[email protected])) from the
-      maintainers to push the changes.
-- [ ] I have added tests that prove my fix is effective or that my feature works.
+- [ ] I confirm that this pull request does not address a security
+      vulnerability. If this pull request addresses a security. vulnerability, I
+      confirm that I got green light (please contact
+      [[email protected]](mailto:[email protected])) from the maintainers to push
+      the changes.
+- [ ] I have added tests that prove my fix is effective or that my feature
+      works.
 - [ ] I have added or changed [the documentation](https://github.com/ory/docs).
 
 ## Further Comments