fix(security, http): expose authentication headers in the authenticat…

…ion result when HTTP authentication is used
elastic · Aug 21, 2024 · 221aad8 · 221aad8
1 parent e3d6cf6
commit 221aad8
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 17 deletions.
diff --git a/x-pack/plugins/security/server/authentication/providers/http.test.ts b/x-pack/plugins/security/server/authentication/providers/http.test.ts
@@ -133,10 +133,10 @@ describe('HTTPAuthenticationProvider', () => {
         });
 
         await expect(provider.authenticate(request)).resolves.toEqual(
-          AuthenticationResult.succeeded({
-            ...user,
-            authentication_provider: { type: 'http', name: 'http' },
-          })
+          AuthenticationResult.succeeded(
+            { ...user, authentication_provider: { type: 'http', name: 'http' } },
+            { authHeaders: { authorization: header } }
+          )
         );
 
         expectAuthenticateCall(mockOptions.client, { headers: { authorization: header } });
@@ -160,10 +160,10 @@ describe('HTTPAuthenticationProvider', () => {
       });
 
       await expect(provider.authenticate(request)).resolves.toEqual(
-        AuthenticationResult.succeeded({
-          ...user,
-          authentication_provider: { type: 'http', name: 'http' },
-        })
+        AuthenticationResult.succeeded(
+          { ...user, authentication_provider: { type: 'http', name: 'http' } },
+          { authHeaders: { authorization: header } }
+        )
       );
 
       expectAuthenticateCall(mockOptions.client, { headers: { authorization: header } });
@@ -187,10 +187,10 @@ describe('HTTPAuthenticationProvider', () => {
       });
 
       await expect(provider.authenticate(request)).resolves.toEqual(
-        AuthenticationResult.succeeded({
-          ...user,
-          authentication_provider: { type: 'http', name: 'http' },
-        })
+        AuthenticationResult.succeeded(
+          { ...user, authentication_provider: { type: 'http', name: 'http' } },
+          { authHeaders: { authorization: header } }
+        )
       );
 
       expectAuthenticateCall(mockOptions.client, { headers: { authorization: header } });
@@ -217,10 +217,10 @@ describe('HTTPAuthenticationProvider', () => {
       });
 
       await expect(provider.authenticate(request)).resolves.toEqual(
-        AuthenticationResult.succeeded({
-          ...user,
-          authentication_provider: { type: 'http', name: 'http' },
-        })
+        AuthenticationResult.succeeded(
+          { ...user, authentication_provider: { type: 'http', name: 'http' } },
+          { authHeaders: { authorization: header } }
+        )
       );
 
       expectAuthenticateCall(mockOptions.client, { headers: { authorization: header } });

diff --git a/x-pack/plugins/security/server/authentication/providers/http.ts b/x-pack/plugins/security/server/authentication/providers/http.ts
@@ -113,7 +113,11 @@ export class HTTPAuthenticationProvider extends BaseAuthenticationProvider {
         return AuthenticationResult.notHandled();
       }
 
-      return AuthenticationResult.succeeded(user);
+      return AuthenticationResult.succeeded(user, {
+        // Even though the `Authorization` header is already present in the HTTP headers of the original request,
+        // we still need to expose it to the Core authentication service for consistency.
+        authHeaders: { authorization: authorizationHeader.toString() },
+      });
     } catch (err) {
       this.logger.debug(
         () =>