Add --bearer-token-login-fallback option (#2924)

* add --deny-invalid-bearer-tokens * update changelog * PR feedback, update api-routes description * update --api-routes description * revert load_test fix that I needed locally --------- Co-authored-by: Justin Ryan <j.ryan@mwam.com>
2025-06-23 00:40:46 +02:00 · 2025-04-21 08:40:39 -04:00
parent bb6ff4ed14
commit 8abdbb5a18
7 changed files with 137 additions and 41 deletions
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -163,6 +163,10 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
 		for _, issuer := range opts.ExtraJwtIssuers {
 			logger.Printf("Skipping JWT tokens from extra JWT issuer: %q", issuer)
 		}
+		if !opts.BearerTokenLoginFallback {
+			logger.Println("Denying requests with invalid JWT tokens")
+		}
+
 	}
 	redirectURL := opts.GetRedirectURL()
 	if redirectURL.Path == "" {
@ -402,7 +406,7 @@ func buildSessionChain(opts *options.Options, provider providers.Provider, sessi
 				middlewareapi.CreateTokenToSessionFunc(verifier.Verify))
 		}

-		chain = chain.Append(middleware.NewJwtSessionLoader(sessionLoaders))
+		chain = chain.Append(middleware.NewJwtSessionLoader(sessionLoaders, opts.BearerTokenLoginFallback))
 	}

 	if validator != nil {