Hi David,
It feels like you’d need to enable it via one of these properties:
--pass-access-token bool pass OAuth access_token to upstream via X-Forwarded-Access-Token header. When used with --set-xauthrequest this adds the X-Auth-Request-Access-Token header to the response false
--pass-authorization-header bool pass OIDC IDToken to upstream via Authorization Bearer header false
--pass-basic-auth bool pass HTTP Basic Auth, X-Forwarded-User, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream true
--prefer-email-to-user bool Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, e.g. htaccess authentication. Used in conjunction with --pass-basic-auth and --pass-user-headers false
--pass-host-header bool pass the request Host Header to upstream true
--pass-user-headers bool pass X-Forwarded-User, X-Forwarded-Groups, X-Forwarded-Email and X-Forwarded-Preferred-Username information to upstream true
Your private service would have to inspect the request headers like https://www.geeksforgeeks.org/response-headers-python-requests/ - the requests package as you rightly say is for making requests FROM your service to other services and not relevant here.
John B