[Bug]: alpha config `secretSource.value` not base64 decoding

[ProbstDJakob]

OAuth2-Proxy Version

7.14.2

Provider

oidc

Expected Behaviour

The alpha config injectRequestHeaders.secretSource.value gets base64 decoded.

Current Behaviour

The alpha config injectRequestHeaders.secretSource.value gets injected as is and thus is base64 encoded. Furthermore the docs still state that the HeaderValue expects the squashed values and the How to inject custom headers example is invalid yaml (misses values: two times).

Steps To Reproduce

Write a configuration which injects request headers with secret source values and dump the request (for example with netcat) to inspect the header.

Possible Solutions

Either decode the base64 value (probably best) or adapt the docs to state that the string must not be base64 decoded (and also the comment in the code).

Configuration details or additional information

No response

[dosubot]

Hi @ProbstDJakob! I'm Dosu and I’m helping the oauth2-proxy team.

You're right—there's a mismatch between the docs and the actual behavior. The documentation for alpha config in v7.14.2 says that secretSource.value should be base64 decoded before being injected as a header, but in reality, the code injects the value as-is, without decoding it. This means if you put a base64-encoded value in your config, it will show up base64-encoded in the header, not decoded as the docs suggest (docs, code, injector).

If you want to inject a plain text secret, you need to put it in the config as plain text, not base64. If you want to inject a base64-encoded value, encode it yourself before adding it to the config. There’s no automatic decoding step in the current implementation.

There are also some confusing YAML errors and strict base64 validation in the config parser, which can make debugging tricky (user report). Some users work around this by manually encoding the value they want to inject (workaround example).

For now, either manually decode your secrets before putting them in the config (if you want plain text in the header), or expect the header to be base64 if you leave it encoded. The docs and code should be updated for clarity and consistency.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[tuunit]

@ProbstDJakob indeed this has been wrong this the alpha config was introduced but is being addressed in the following PR: #2629

They will actually be decoded in the future and the current doc statement will be correct that they need to be encoded

[ProbstDJakob]

If you mean "this has been wrong since the alpha config was introduced", then I can not confirm that. The following config go template snippet worked with version 7.13.0 and (besides the squashed config) does not work anymore with 7.14.2.

injectRequestHeaders:
  - name: Authorization
    preserveRequestValue: false
    values:
      - value: {{ printf "%s:%s" "user" .password | b64enc | printf "Basic %s" | b64enc }}

[Br1an67]

I'd like to work on this. This PR updates the Alpine Docker runtime image version from 3.23.2 to 3.23.3 for maintenance. PR: #3364

[ianroberts]

This change appears to have happened as part of #2628, which (among other things) switched to directly using go-yaml instead of indirecting via JSON with github.com/ghodss/yaml. go-yaml does not require base64 encoding of []byte data but it still allows it (e.g. if you want to include a []byte that isn't a printable string) with a !!binary tag, i.e.

injectResponseHeaders:
  - name: Strict-Transport-Security
    values:
      - value: "max-age=2592000; includeSubDomains"

and

injectResponseHeaders:
  - name: Strict-Transport-Security
    values:
      - value: !!binary bWF4LWFnZT0yNTkyMDAwOyBpbmNsdWRlU3ViRG9tYWlucw==

have the same effect.

[ProbstDJakob]

Thanks, if this works and will stay, I think this is better than always encoding the value, but still the docs need to be updated. I would do that, but will this behaviour really stay or will it be patched again?

@Br1an67 Your PR has (currently) nothing to do with this issue. Either you need to look up again how you commit code with git or this is just LLM slop and your LLM has not done the changes and just printed the potential diff stats. Either way if you fix your PR please also use English. English is the language used internationally and thus also in (most) open source projects as this one. I personally am unable to read your PR (without translator) and I am definitely not alone.

[ianroberts]

I agree, and my vote would also be to bring the documentation into line with the new behaviour rather than changing it back to always require encoding.