bitly · sto1t · Jul 12, 2016 · Jul 12, 2016 · Jul 12, 2016 · Jul 12, 2016
diff --git a/README.md b/README.md
@@ -187,6 +187,7 @@ Usage of oauth2_proxy:
   -login-url="": Authentication endpoint
   -pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
   -pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
+  -pass-user-id=false, pass user's identifier as X-Forwarded-UserId
   -pass-host-header=true: pass the request Host Header to upstream
   -profile-url="": Profile access endpoint
   -provider="google": OAuth provider

diff --git a/contrib/oauth2_proxy.cfg.example b/contrib/oauth2_proxy.cfg.example
@@ -23,6 +23,10 @@
 
 ## pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
 # pass_basic_auth = true
+
+## Pass user identifier as X-Forwarded-UserId
+# pass_user_id = false
+
 ## pass the request Host Header to upstream
 ## when disabled the upstream Host is used as the Host Header
 # pass_host_header = true 

diff --git a/main.go b/main.go
@@ -32,6 +32,7 @@ func main() {
 	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
 	flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
 	flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
+	flagSet.Bool("pass-user-id", false, "pass user's identifier as X-Forwarded-UserId")
 	flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
 	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
 	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")

diff --git a/oauthproxy.go b/oauthproxy.go
@@ -59,6 +59,7 @@ type OAuthProxy struct {
 	DisplayHtpasswdForm bool
 	serveMux            http.Handler
 	PassBasicAuth       bool
+	PassUserId          bool
 	SkipProviderButton  bool
 	BasicAuthPassword   string
 	PassAccessToken     bool
@@ -194,11 +195,12 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
 		skipAuthRegex:      opts.SkipAuthRegex,
 		compiledRegex:      opts.CompiledRegex,
 		PassBasicAuth:      opts.PassBasicAuth,
+		PassUserId:         opts.PassUserId,
 		BasicAuthPassword:  opts.BasicAuthPassword,
 		PassAccessToken:    opts.PassAccessToken,
-		SkipProviderButton: opts.SkipProviderButton,
 		CookieCipher:       cipher,
 		templates:          loadTemplates(opts.CustomTemplatesDir),
+		SkipProviderButton: opts.SkipProviderButton,
 		Footer:             opts.Footer,
 	}
 }
@@ -238,6 +240,9 @@ func (p *OAuthProxy) redeemCode(host, code string) (s *providers.SessionState, e
 	if s.Email == "" {
 		s.Email, err = p.provider.GetEmailAddress(s)
 	}
+
+	s.UserId, err = p.provider.GetUserId(s)
+
 	return
 }
 
@@ -602,6 +607,12 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 			req.Header["X-Forwarded-Email"] = []string{session.Email}
 		}
 	}
+
+	if p.PassUserId {
+		log.Printf("Passing UserId header %s", session.UserId)
+		req.Header["X-Forwarded-UserId"] = []string{session.UserId}
+	}
+
 	if p.PassAccessToken && session.AccessToken != "" {
 		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
 	}

diff --git a/options.go b/options.go
@@ -49,6 +49,7 @@ type Options struct {
 	Upstreams          []string `flag:"upstream" cfg:"upstreams"`
 	SkipAuthRegex      []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
 	PassBasicAuth      bool     `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
+	PassUserId         bool     `flag:"pass-user-id" cfg:"pass_user_id"`
 	BasicAuthPassword  string   `flag:"basic-auth-password" cfg:"basic_auth_password"`
 	PassAccessToken    bool     `flag:"pass-access-token" cfg:"pass_access_token"`
 	PassHostHeader     bool     `flag:"pass-host-header" cfg:"pass_host_header"`

diff --git a/providers/github.go b/providers/github.go
@@ -7,6 +7,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"strconv"
 	"path"
 	"strings"
 )
@@ -234,3 +235,45 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) {
 
 	return "", nil
 }
+
+func (p *GitHubProvider) GetUserId(s *SessionState) (string, error) {
+
+	var userData struct {
+		UserId int `json:"id"`
+	}
+
+	params := url.Values{
+		"access_token": {s.AccessToken},
+	}
+
+	endpoint := &url.URL{
+		Scheme:   p.ValidateURL.Scheme,
+		Host:     p.ValidateURL.Host,
+		Path:     path.Join(p.ValidateURL.Path, "/user"),
+		RawQuery: params.Encode(),
+	}
+	resp, err := http.DefaultClient.Get(endpoint.String())
+
+	if err != nil {
+		return "", err
+	}
+	body, err := ioutil.ReadAll(resp.Body)
+
+	if resp.StatusCode != 200 {
+		return "", fmt.Errorf("got %d from %q %s", resp.StatusCode, endpoint, body)
+	} else {
+		log.Printf("got %d from %q %s", resp.StatusCode, endpoint, body)
+	}
+
+	if err := json.Unmarshal(body, &userData); err != nil {
+		return "", fmt.Errorf("%s unmarshaling %s", err, body)
+	}
+
+	var id = strconv.Itoa(userData.UserId)
+
+	log.Printf("User ID is", id)
+
+	return id, nil
+
+}
+
diff --git a/providers/provider_default.go b/providers/provider_default.go
@@ -123,3 +123,7 @@ func (p *ProviderData) ValidateSessionState(s *SessionState) bool {
 func (p *ProviderData) RefreshSessionIfNeeded(s *SessionState) (bool, error) {
 	return false, nil
 }
+
+func (p *ProviderData) GetUserId(s *SessionState) (string, error) {
+	return "", nil
+}
diff --git a/providers/providers.go b/providers/providers.go
@@ -7,6 +7,7 @@ import (
 type Provider interface {
 	Data() *ProviderData
 	GetEmailAddress(*SessionState) (string, error)
+	GetUserId(*SessionState) (string, error)
 	Redeem(string, string) (*SessionState, error)
 	ValidateGroup(string) bool
 	ValidateSessionState(*SessionState) bool

diff --git a/providers/session_state.go b/providers/session_state.go
@@ -5,7 +5,6 @@ import (
 	"strconv"
 	"strings"
 	"time"
-
 	"github.com/bitly/oauth2_proxy/cookie"
 )
 
@@ -15,6 +14,7 @@ type SessionState struct {
 	RefreshToken string
 	Email        string
 	User         string
+	UserId	     string
 }
 
 func (s *SessionState) IsExpired() bool {
@@ -72,7 +72,16 @@ func (s *SessionState) EncryptedString(c *cookie.Cipher) (string, error) {
 			return "", err
 		}
 	}
-	return fmt.Sprintf("%s|%s|%d|%s", s.userOrEmail(), a, s.ExpiresOn.Unix(), r), nil
+
+	u := s.UserId
+	if u != "" {
+		u, err = c.Encrypt(u)
+		if err != nil {
+			return "", err
+		}
+	}
+
+	return fmt.Sprintf("%s|%s|%d|%s|%s", s.userOrEmail(), a, s.ExpiresOn.Unix(), r, u), nil
 }
 
 func DecodeSessionState(v string, c *cookie.Cipher) (s *SessionState, err error) {
@@ -85,8 +94,8 @@ func DecodeSessionState(v string, c *cookie.Cipher) (s *SessionState, err error)
 		return &SessionState{User: v}, nil
 	}
 
-	if len(chunks) != 4 {
-		err = fmt.Errorf("invalid number of fields (got %d expected 4)", len(chunks))
+	if len(chunks) != 5 {
+		err = fmt.Errorf("invalid number of fields (got %d expected 5)", len(chunks))
 		return
 	}
 
@@ -103,6 +112,14 @@ func DecodeSessionState(v string, c *cookie.Cipher) (s *SessionState, err error)
 			return nil, err
 		}
 	}
+
+	if c!=nil && chunks[4] != "" {
+		s.UserId, err = c.Decrypt(chunks[4])
+		if err !=nil {
+			return nil, err
+		}
+	}
+
 	if u := chunks[0]; strings.Contains(u, "@") {
 		s.Email = u
 		s.User = strings.Split(u, "@")[0]

diff --git a/providers/session_state_test.go b/providers/session_state_test.go
@@ -22,10 +22,12 @@ func TestSessionStateSerialization(t *testing.T) {
 		AccessToken:  "token1234",
 		ExpiresOn:    time.Now().Add(time.Duration(1) * time.Hour),
 		RefreshToken: "refresh4321",
+		UserId: "1",
+
 	}
 	encoded, err := s.EncodeSessionState(c)
 	assert.Equal(t, nil, err)
-	assert.Equal(t, 3, strings.Count(encoded, "|"))
+	assert.Equal(t, 4, strings.Count(encoded, "|"))
 
 	ss, err := DecodeSessionState(encoded, c)
 	t.Logf("%#v", ss)