Access token forwarding through nginx auth request

[davidholsgrove]

Description

This enables expected behavior when using:

set_xauthrequest = true
pass_access_token = true

If both of these are set, the access token will be included in an X-Auth-Request-Access-Token header, following the X-Auth-Request-* pattern used for User and Email.

The access token allows for further validation by upstream services.

Motivation and Context

Re-targeting of @patrickfuller's PR from original bitly/oauth2_proxy which wasn't merged before fork to pusher/oauth2_proxy.
Original review and discussion available on the PR and issue:
bitly/oauth2_proxy#424
bitly/oauth2_proxy#420

How Has This Been Tested?

Kubernetes helm charts for oauth2_proxy and keycloak

nginx-ingress annotations;

annotations:
            kubernetes.io/ingress.class: nginx
            nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-Access-Token, Authorization
            nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
            nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
            nginx.ingress.kubernetes.io/configuration-snippet: |
                auth_request_set $name_upstream_1 $upstream_cookie_name_1;
                access_by_lua_block {
                    if ngx.var.name_upstream_1 ~= "" then
                    ngx.header["Set-Cookie"] = "name_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
                    end
                }

Confirmed X-Auth-Request-Access-Token received by backend, and successfully decoded the JWT access token.

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[JoelSpeed]

I've seen the original PR before, it inspired the -set-authorization stuff I worked on! One minor nit and then LGTM

[davidholsgrove]

@JoelSpeed yeah no worries - I kept @patrickfuller's commits unmodified, but happy for the readme example to be updated 👍

[JoelSpeed]

Looking good, please add a note to the Changelog and then we can get this merged

[davidholsgrove]

Done - thanks :)

[davidholsgrove]

Anything else you need from me @JoelSpeed?
Out of interest, do you have a ballpark when you might be cutting a new release? Would be great to switch to vanilla helm chart use of your image instead of my forked image.

[JoelSpeed]

Apologies for not getting back to you on this! One minor thing to do with the change note not being in the right section then we can go

As for the release, probably 2-3 weeks time, there's a few things nearly ready to merge and something I've got planned to get done by around mid march that would be good to get released asap