How to get OAuth2 authenticated email from within private service?

In Chris Castle’s excellent description of standing up a OAuth2 reverse proxy in front of a private service, he writes the following:

How can the private service receive the username? I thought it might be accessible as an OS environmental variable, but there is no such variable visible within the private service.

Following the Oauth2-proxy server documentation, I thought it might be passed as the HTTP header X-Forwarded-User, but how to access that header from an upstream private service? (My private service is written in Python, suggesting use of the requests package, but that package seems to only support grabbing headers of HTTP requests made from within the service.)

Hi David,

It feels like you’d need to enable it via one of these properties:

--pass-access-token bool pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with --set-xauthrequest this adds the X-Auth-Request-Access-Token header to the response false
--pass-authorization-header bool pass OIDC IDToken to upstream via Authorization Bearer header false
--pass-basic-auth bool pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream true
--prefer-email-to-user bool Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with --pass-basic-auth and --pass-user-headers false
--pass-host-header bool pass the request Host Header to upstream true
--pass-user-headers bool pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream true

Your private service would have to inspect the request headers like - the requests package as you rightly say is for making requests FROM your service to other services and not relevant here.

John B

You pointed me in the right direction. Thank you.

The full story, for anyone who is figuring this out later. The header X-Forwarded-Email does indeed carry the user’s email. It is accessible via flask.request.headers, since my Dash application uses Flask.