authenticationoauth-2.0oauthjwtoauth2-proxy

oauth2-proxy `/oauth2/auth` returns 401 on valid JWT tokens


I'm using nginx to do an auth check against oauth2-proxy using the auth_request directive. Auth0 is my upstream authentication provider. Auth0 has a machine-to-machine JWT authentication API configured for service accounts and a normal authentication routine for human users.

The human/browser authentication path works great, but when I try to use a JWT token to authenticate on /oauth2/auth, oauth2-proxy is returning a 401 when requests have a valid JWT token in the Authorization: Bearer <valid-token> header. I've verified the requests to oauth2-proxy using tcpdump.

daa1b934b391:/# curl -i -H "Authorization: Bearer <valid-token>" http://localhost:4180/oauth2/auth
HTTP/1.1 401 Unauthorized
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Wed, 17 Jul 2024 20:33:50 GMT
Content-Length: 13

Unauthorized

The crux of my question is whether oauth2-proxy is designed to handle JWT token validation in this way, or will /oauth2/auth always return a 401 when there's no valid session cookie set (as in the case of a service account using a JWT token)? I assume that setting --skip-jwt-bearer-tokens=false (default), and the related JWT token config parameters, that oauth2-proxy will attempt to verify the token and, upon verification, return a 2XX HTTP response.

If my assumption is correct, and it's correct that no session + valid token = HTTP/2XX, then what logging is possible to tease out what's missing in my configuration? I've been pretty unsuccessful at getting oauth2-proxy to be very "verbose".


Solution

  • The resolution was rather simple. As mentioned in comments, oauth2-proxy will authenticate the JWT token just fine. Although both ChatGPT and Claude swore up and down that I should set skip_jwt_bearer_tokens=false, it needs to be set to skip_jwt_bearer_tokens=true in order to authenticate JWT tokens. The docs aren't especially clear about this either. When that's set incorrectly no logging for JWT tokens occurs. Once corrected logging messages show up on JWT auth and oauth2-proxy returns 2XX or 40X if an Authorization header exists.