fix: jwt regex validation error during skip-jwt-bearer-tokens flow (#2888)

---------

Co-authored-by: Jan Larwig <jan@larwig.com>

CHANGELOG.md

@@ -8,6 +8,8 @@
 
 ## Changes since v7.8.0
 
+- [#2887](https://github.com/oauth2-proxy/oauth2-proxy/issues/2887) fix: jwt regex validation error during skip-jwt-bearer-tokens flow
+
 # V7.8.0
 
 ## Release Highlights

pkg/middleware/jwt_session.go

@@ -13,7 +13,7 @@ import (
 	k8serrors "k8s.io/apimachinery/pkg/util/errors"
 )
 
-const jwtRegexFormat = `^ey[IJ][a-zA-Z0-9_-]*\.ey[IJ][a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$`
+const jwtRegexFormat = `^ey[a-zA-Z0-9_-]*\.ey[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$`
 
 func NewJwtSessionLoader(sessionLoaders []middlewareapi.TokenToSessionFunc) alice.Constructor {
 	js := &jwtSessionLoader{

pkg/middleware/jwt_session_test.go

@@ -71,6 +71,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
 	// validToken will pass the token regex so can be used to check token fetching
 	// is valid. It will not pass the OIDC Verifier however.
 	const validToken = "eyJfoobar.eyJfoobar.12345asdf"
+	const validTokenWithSpace = "eyAidHlwIjogIkpXVCIsICJraWQiOiAiRTJlWW5ZMWR1eGttTkpiVGdCRzd4MkVpNVJZPSIsICJhbGciOiAiUlMyNTYiIH0K.eyJfoobar.12345asdf"
 
 	Context("JwtSessionLoader", func() {
 		var verifier middlewareapi.VerifyFunc
@@ -294,6 +295,11 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
 				expectedErr:   nil,
 				expectedToken: validToken,
 			}),
+			Entry("Bearer <valid-token-with-whitespace>", findBearerTokenFromHeaderTableInput{
+				header:        fmt.Sprintf("Bearer %s", validTokenWithSpace),
+				expectedErr:   nil,
+				expectedToken: validTokenWithSpace,
+			}),
 			Entry("Basic invalid-base64", findBearerTokenFromHeaderTableInput{
 				header:        "Basic invalid-base64",
 				expectedErr:   errors.New("invalid basic auth token: illegal base64 data at input byte 7"),