Use comma separated multiple values for header (#799)

* Use comma separated value for multiple claims

* Fix lint error

* Fix more tests

* Fix one more test

* Always flatten the headers

* Ensure we test the real multi-groups

* Only update map when necessary

* Update CHANGELOG

* Move to the right location of change log

* Fix blank line

CHANGELOG.md

@@ -67,6 +67,7 @@
 
 ## Changes since v6.1.1
 
+- [#799](https://github.com/oauth2-proxy/oauth2-proxy/pull/799) Use comma separated multiple values for header (@lilida)
 - [#903](https://github.com/oauth2-proxy/oauth2-proxy/pull/903) Add docs and generated reference for Alpha configuration (@JoelSpeed)
 - [#995](https://github.com/oauth2-proxy/oauth2-proxy/pull/995) Add Security Policy (@JoelSpeed)
 - [#964](https://github.com/oauth2-proxy/oauth2-proxy/pull/964) Require `--reverse-proxy` true to trust `X-Forwareded-*` type headers (@NickMeves)

oauthproxy_test.go

@@ -612,7 +612,7 @@ func TestPassGroupsHeadersWithGroups(t *testing.T) {
 	rw = httptest.NewRecorder()
 	proxy.ServeHTTP(rw, req)
 
-	assert.Equal(t, groups, req.Header["X-Forwarded-Groups"])
+	assert.Equal(t, []string{"a,b"}, req.Header["X-Forwarded-Groups"])
 }
 
 type PassAccessTokenTest struct {

pkg/middleware/headers.go

@@ -3,6 +3,7 @@ package middleware
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/justinas/alice"
 	middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
@@ -40,6 +41,14 @@ func newStripHeaders(headers []options.Header) alice.Constructor {
 	}
 }
 
+func flattenHeaders(headers http.Header) {
+	for name, values := range headers {
+		if len(values) > 1 {
+			headers.Set(name, strings.Join(values, ","))
+		}
+	}
+}
+
 func stripHeaders(headers []string, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
 		for _, header := range headers {
@@ -67,6 +76,7 @@ func injectRequestHeaders(injector header.Injector, next http.Handler) http.Hand
 		// If scope is nil, this will panic.
 		// A scope should always be injected before this handler is called.
 		injector.Inject(req.Header, scope.Session)
+		flattenHeaders(req.Header)
 		next.ServeHTTP(rw, req)
 	})
 }
@@ -98,6 +108,7 @@ func injectResponseHeaders(injector header.Injector, next http.Handler) http.Han
 		// If scope is nil, this will panic.
 		// A scope should always be injected before this handler is called.
 		injector.Inject(rw.Header(), scope.Session)
+		flattenHeaders(req.Header)
 		next.ServeHTTP(rw, req)
 	})
 }

pkg/middleware/headers_test.go

@@ -55,11 +55,11 @@ var _ = Describe("Headers Suite", func() {
 		Entry("with no configured headers", headersTableInput{
 			headers: []options.Header{},
 			initialHeaders: http.Header{
-				"foo": []string{"bar", "baz"},
+				"Foo": []string{"bar", "baz"},
 			},
 			session: &sessionsapi.SessionState{},
 			expectedHeaders: http.Header{
-				"foo": []string{"bar", "baz"},
+				"Foo": []string{"bar,baz"},
 			},
 			expectedErr: "",
 		}),
@@ -77,13 +77,13 @@ var _ = Describe("Headers Suite", func() {
 				},
 			},
 			initialHeaders: http.Header{
-				"foo": []string{"bar", "baz"},
+				"Foo": []string{"bar", "baz"},
 			},
 			session: &sessionsapi.SessionState{
 				IDToken: "IDToken-1234",
 			},
 			expectedHeaders: http.Header{
-				"foo":   []string{"bar", "baz"},
+				"Foo":   []string{"bar,baz"},
 				"Claim": []string{"IDToken-1234"},
 			},
 			expectedErr: "",
@@ -133,7 +133,7 @@ var _ = Describe("Headers Suite", func() {
 				IDToken: "IDToken-1234",
 			},
 			expectedHeaders: http.Header{
-				"Claim": []string{"bar", "baz", "IDToken-1234"},
+				"Claim": []string{"bar,baz,IDToken-1234"},
 			},
 			expectedErr: "",
 		}),
@@ -176,7 +176,7 @@ var _ = Describe("Headers Suite", func() {
 			},
 			session: nil,
 			expectedHeaders: http.Header{
-				"Claim": []string{"bar", "baz"},
+				"Claim": []string{"bar,baz"},
 			},
 			expectedErr: "",
 		}),