feat: forward request headers to remote authorizer

[richiejenkins]

Adds a forward_request_headers_to_remote config field on the remote authorizer. When set, listed headers are copied from the inbound request to the outbound request to the remote endpoint.

Useful for forwarding signature, timestamp, or nonce headers to an external verifier service. Mirrors the existing forward_response_headers_to_upstream field, in the request direction.

Related issue(s)

#1270

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact security@ory.com) from the maintainers to push the changes.
• I have added tests that prove my fix is effective or that my feature works.
• I have added or changed the documentation.

Summary by CodeRabbit

• New Features

  • Added configuration support to specify which incoming request headers should be forwarded to the remote authorizer endpoint. The feature is optional and defaults to an empty list.

• Tests

  • Added test coverage validating header forwarding behavior and header exclusion scenarios.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a configurable forward_request_headers_to_remote field to the remote authorizer allowing users to specify inbound request headers to forward to the remote authorizer endpoint. The change includes schema updates, configuration field addition, and header forwarding logic implementation with test coverage.

Changes

Cohort / File(s)	Summary
Configuration Schema .schema/config.schema.json, spec/config.schema.json	Added new schema property forward_request_headers_to_remote as an optional array of unique strings with empty array default for remote authorizer configuration.
Remote Authorizer Implementation pipeline/authz/remote.go	Added ForwardRequestHeadersToRemote field to AuthorizerRemoteConfiguration struct to store configured header names for forwarding to remote endpoint.
Remote Authorizer Tests pipeline/authz/remote_test.go	Extended test suite with requestHeaders per test case and validation that configured headers are forwarded while unconfigured headers are excluded from remote requests.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• Allow forwarding selected request headers to remote authorizer #1270: Directly implements the forward_request_headers_to_remote configuration feature and header forwarding logic to the remote authorizer as described in the issue.

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description covers the feature purpose, links the related issue (#1270), and completes most checklist items. However, documentation updates are not marked as complete, which is a required checklist item per the template.	Clarify whether documentation changes are required for this feature or confirm that existing documentation adequately covers the new forward_request_headers_to_remote field.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding a feature to forward request headers to a remote authorizer, which aligns with the core functionality changes across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pipeline/authz/remote.go`:
- Around line 90-99: The loop that copies headers from r to req using
c.ForwardRequestHeadersToRemote can cause duplicate Authorization or
Content-Type because those headers are also appended later; update the loop in
remote.go (the block iterating over c.ForwardRequestHeadersToRemote and using
r.Header.Values/name, req.Header.Del/Add) to skip forwarding when name equals
"Authorization" or "Content-Type" (case-insensitive), or otherwise de-duplicate
by checking req.Header.Get(name) before adding, so the later explicit append of
Authorization/Content-Type (lines after this loop) will not produce duplicates.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 68a40fd2-22c6-482b-bffb-4b7d4ad72166

📥 Commits

Reviewing files that changed from the base of the PR and between 29ba399 and 98e0166.

📒 Files selected for processing (4)

• .schema/config.schema.json
• pipeline/authz/remote.go
• pipeline/authz/remote_test.go
• spec/config.schema.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Avoid duplicate Authorization / Content-Type when forwarding configured headers.

If forward_request_headers_to_remote contains Authorization or Content-Type, this loop adds them, and Lines 100-104 append them again. That can send duplicated auth/content headers to the remote authorizer.

Proposed fix

-	for _, name := range c.ForwardRequestHeadersToRemote {
-		values := r.Header.Values(name)
-		if len(values) == 0 {
-			continue
-		}
-		req.Header.Del(name)
-		for _, v := range values {
-			req.Header.Add(name, v)
-		}
-	}
-	req.Header.Add("Content-Type", r.Header.Get("Content-Type"))
+	req.Header.Set("Content-Type", r.Header.Get("Content-Type"))
 	authz := r.Header.Get("Authorization")
 	if authz != "" {
-		req.Header.Add("Authorization", authz)
+		req.Header.Set("Authorization", authz)
+	}
+	for _, name := range c.ForwardRequestHeadersToRemote {
+		values := r.Header.Values(name)
+		if len(values) == 0 {
+			continue
+		}
+		req.Header.Del(name)
+		for _, v := range values {
+			req.Header.Add(name, v)
+		}
 	}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for _, name := range c.ForwardRequestHeadersToRemote {
	values := r.Header.Values(name)
	if len(values) == 0 {
	continue
	}
	req.Header.Del(name)
	for _, v := range values {
	req.Header.Add(name, v)
	}
	}
	req.Header.Set("Content-Type", r.Header.Get("Content-Type"))
	authz := r.Header.Get("Authorization")
	if authz != "" {
	req.Header.Set("Authorization", authz)
	}
	for _, name := range c.ForwardRequestHeadersToRemote {
	values := r.Header.Values(name)
	if len(values) == 0 {
	continue
	}
	req.Header.Del(name)
	for _, v := range values {
	req.Header.Add(name, v)
	}
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pipeline/authz/remote.go` around lines 90 - 99, The loop that copies headers
from r to req using c.ForwardRequestHeadersToRemote can cause duplicate
Authorization or Content-Type because those headers are also appended later;
update the loop in remote.go (the block iterating over
c.ForwardRequestHeadersToRemote and using r.Header.Values/name,
req.Header.Del/Add) to skip forwarding when name equals "Authorization" or
"Content-Type" (case-insensitive), or otherwise de-duplicate by checking
req.Header.Get(name) before adding, so the later explicit append of
Authorization/Content-Type (lines after this loop) will not produce duplicates.

[CLAassistant]

All committers have signed the CLA.