Is authResponseHeaders stripping headers or keeping them?

What an oddball question. Documentation (Traefik ForwardAuth Documentation - Traefik) says "is the list of headers to copy from the authentication server response and set on forwarded request"

I now have the scenario that Traefik seems to be stripping the Authorization header when I add it to the authResponseHeaders.

Following setup:

  1. I run a traefik/whoami docker container
  2. I have forwardAuth configured with a specific middleware that doesn't strip headers from requests
  3. I send a request using Postman with the header "ABCD"
  4. I see my ABCD header as a reply in the whoami container
  5. I send a request using Postman with the "Authorization" header
  6. There is no Authorization header in the reply

The relevant traefik configuration where I cannot see the Authorization header:

        address: http://authelia:9091/api/authz/forward-auth
        trustForwardHeader: true
          - "Authorization"

When I remove "Authorization" from the authResponseHeaders I see the header in the reply, the header is not stripped. When I add the header to authResponseHeaders, it is stripped.

Authorization maybe being a too specific header, I can repo with any header: Add X-Gobblydidock to authResponseHeaders and it is stripped from the response, remove it and I see the header.

Am I misunderstanding the documentation? Does authResponseHeaders actually strip the headers?

I assume you send the header from the client. authResponseHeaders is copying the header from the ForwardAuth response to the request to the target service. I would think for security reasons, the header from the original request is discarded.

Yes, from the client (i.e. Postman). Authorization may be a special case, I grant you that - but it happens for any header I specify for authResponseHeaders.

I send X-Superheader, it gets routed to forwardAuth, and I see it in the actual service/endpoint (e.g. traefik\whoami). I add X-Superheader to authReponseHeaders and I do not see it at the service/endpoint level.

And again: My middleware (Authelia) does not strip headers. I can repo when adding/removing headers in the middleware configuration in traefik, hence my confusion.

The authResponseHeaders option is the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.

I would interpret that as existing headers on original request are overwritten (or removed when empty). And that’s what you are seeing, right?

phew, not sure?

  1. I am sending X-Superheader: foobar from my client
  2. Traefik to the forwardAuth middleware
  3. The middleware (different product) does not touch the headers
  4. ? Does the middleware return the request? Does traefik? I really don't know

All I can say that traefik strips the header from the reponse, when being added to authResponseHeaders. When the middleware adds these headers itself (e.g. Remote-User), the headers are not stripped. So the case may be that only headers that originate from the client and are then forwarded by the middleware are stripped if within authResponseHeaders.