I am trying to port a Perl script, which successfully reads and consumes Shibboleth session attributes, into Node.js. The Perl code looks, for example, like this:
die "Must be protected behind shibboleth authentication" unless $ENV{'AUTH_TYPE'} eq 'shibboleth';
die "Requires eppn" unless $ENV{'eppn'} ne "";
my $user = $ENV{'eppn'};
my $shib_session_id = $ENV{'Shib-Session-ID'};
It appears as though the Shibboleth attributes are available to Perl as environment variables. As far as I can tell (I don't know Perl), there is nothing within the script that is fetching or altering these values.
So, I checked process.env, in my Node.js app, and none of these values exist. Nor do they, as far as I have searched, exist in the request object created by Express.js.
The Perl script is on an Apache server, but nothing in the httpd.conf looks like it's passing anything special to the Perl script. My Node.js app is reversed proxied on the same Apache server.
Is it possible to get the Shibboleth attributes in Node.js, or does it rely on some Perl/Apache/Shibboleth magic?
Thanks to @mpapec's comment, I solved this by passing the Apache environment variables upstream as request headers:
RequestHeader set X-Auth-Type %{AUTH_TYPE}e
RequestHeader set X-EPPN %{eppn}e
RequestHeader set X-Shib-Session-ID %{Shib-Session-ID}e
These now appear in req.headers in my Node.js app; although X-Auth-Type is mysteriously set to (null)... I can work around that, for the time being, but any ideas why this is the case?