From b138872beaaa7f47d43a1c0fef11a67f57e61eff Mon Sep 17 00:00:00 2001
From: Patrick Fuller <patrickfuller@gmail.com>
Date: Sun, 16 Jul 2017 16:07:59 -0500
Subject: [PATCH 1/2] Access token forwarding through nginx auth request

Related to #420.
---
 README.md     | 2 ++
 oauthproxy.go | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/README.md b/README.md
index 85fd92011..5484267e5 100644
--- a/README.md
+++ b/README.md
@@ -370,8 +370,10 @@ server {
     # requires running with --set-xauthrequest flag
     auth_request_set $user   $upstream_http_x_auth_request_user;
     auth_request_set $email  $upstream_http_x_auth_request_email;
+    auth_request_set $token  $upstream_http_x_auth_request_access_token;  # Available with --pass-access-token flag
     proxy_set_header X-User  $user;
     proxy_set_header X-Email $email;
+    proxy_set_header X-Token $token;
 
     # if you enabled --cookie-refresh, this is needed for it to work with auth_request
     auth_request_set $auth_cookie $upstream_http_set_cookie;
diff --git a/oauthproxy.go b/oauthproxy.go
index dd2b58e9e..19ed0e3f6 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -680,6 +680,9 @@ func (p *OAuthProxy) Authenticate(rw http.ResponseWriter, req *http.Request) int
 		if session.Email != "" {
 			rw.Header().Set("X-Auth-Request-Email", session.Email)
 		}
+		if p.PassAccessToken && session.AccessToken != "" {
+			rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
+		}
 	}
 	if p.PassAccessToken && session.AccessToken != "" {
 		req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}

From 6fab314f7203f4d652bb34247abb4e7cb497c41d Mon Sep 17 00:00:00 2001
From: Patrick Fuller <patrickfuller@gmail.com>
Date: Sun, 16 Jul 2017 16:23:11 -0500
Subject: [PATCH 2/2] Improved documentation for auth request token

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5484267e5..792f29dfc 100644
--- a/README.md
+++ b/README.md
@@ -370,9 +370,11 @@ server {
     # requires running with --set-xauthrequest flag
     auth_request_set $user   $upstream_http_x_auth_request_user;
     auth_request_set $email  $upstream_http_x_auth_request_email;
-    auth_request_set $token  $upstream_http_x_auth_request_access_token;  # Available with --pass-access-token flag
     proxy_set_header X-User  $user;
     proxy_set_header X-Email $email;
+
+    # if you enabled --pass-access-token, this will pass the token to the backend
+    auth_request_set $token  $upstream_http_x_auth_request_access_token;
     proxy_set_header X-Token $token;
 
     # if you enabled --cookie-refresh, this is needed for it to work with auth_request