@@ -411,30 +411,42 @@ func newReverseProxy(logger *slog.Logger, lc tailscaleLocalClient, url *url.URL,
411411 return
412412 }
413413
414- loginName := whois .UserProfile .LoginName
415- displayName := whois .UserProfile .DisplayName
414+ var (
415+ loginName string
416+ displayName string
417+ )
416418
417419 if isFunnel {
418420 idt := middleware .IDJWTFromContext (r .Context ())
419- if idt == nil || ! idt .HasStringClaim ("name" ) || ! idt .HasStringClaim ("email" ) {
420- http .Error (w , http .StatusText (http .StatusInternalServerError ), http .StatusInternalServerError )
421- logger .Error ("oidc id token missing name or email" )
422- return
423- }
424- email , eerr := idt .StringClaim ("email" )
425- name , nerr := idt .StringClaim ("name" )
426- if eerr != nil || nerr != nil {
427- http .Error (w , http .StatusText (http .StatusInternalServerError ), http .StatusInternalServerError )
428- logger .Error ("oidc id token cannot unpack name or email" , "eerr" , eerr , "nerr" , nerr )
429- return
421+ // only if present, i.e for non-public paths.
422+ if idt != nil {
423+ if ! idt .HasStringClaim ("name" ) || ! idt .HasStringClaim ("email" ) {
424+ http .Error (w , http .StatusText (http .StatusInternalServerError ), http .StatusInternalServerError )
425+ logger .Error ("oidc id token missing name or email" )
426+ return
427+ }
428+ email , eerr := idt .StringClaim ("email" )
429+ name , nerr := idt .StringClaim ("name" )
430+ if eerr != nil || nerr != nil {
431+ http .Error (w , http .StatusText (http .StatusInternalServerError ), http .StatusInternalServerError )
432+ logger .Error ("oidc id token cannot unpack name or email" , "eerr" , eerr , "nerr" , nerr )
433+ return
434+ }
435+ loginName = email
436+ displayName = name
430437 }
431- loginName = email
432- displayName = name
438+ } else {
439+ loginName = whois .UserProfile .LoginName
440+ displayName = whois .UserProfile .DisplayName
433441 }
434442
435443 req := r .Clone (r .Context ())
436- req .Header .Set ("X-Webauth-User" , loginName )
437- req .Header .Set ("X-Webauth-Name" , displayName )
444+ if loginName != "" {
445+ req .Header .Set ("X-Webauth-User" , loginName )
446+ }
447+ if displayName != "" {
448+ req .Header .Set ("X-Webauth-Name" , displayName )
449+ }
438450 rproxy .ServeHTTP (w , req )
439451 })
440452}
0 commit comments