Behaviour
-
Authentication Requirement: All requests passing through the proxy to upstream applications require authentication, excluding default proxy endpoints.
- Exception: If the request matches a skipped route (configured via
--skip-auth-route):- Authentication is not enforced, but the proxy will opportunistically attempt to validate a session cookie (
--cookie-name) or JWT (--skip-jwt-bearer-tokens) if present in the request. - Configured user info and authentication headers (e.g.,
--pass-access-token) are injected to upstream routes when validation succeeds.
- Authentication is not enforced, but the proxy will opportunistically attempt to validate a session cookie (
- Exception: If the request matches a skipped route (configured via
-
Unauthenticated Requests: When authentication is missing but required, the user is redirected to the configured Identity Provider (IdP) login page by default.
- Ajax Requests: If the request has
Accept: application/jsonheader:- Returns
401 Unauthorized.
- Returns
- Invalid JWT Tokens: If
--skip-jwt-bearer-tokensis set and the request includes an invalid JWT:- Redirects to the login page by default.
- Returns
403 Forbiddenif--bearer-token-login-fallbackis set tofalse.
- Ajax Requests: If the request has
-
Post-Authentication: After successful authentication with the IdP, OAuth tokens are stored in the configured session store (cookie or Redis), and a cookie is set.
-
Request Forwarding: The authenticated request is processed based on configuration:
- Forwarded to the configured upstream application with added user info and authentication headers, or
- Returns a valid status code for downstream processing by another proxy or load balancer (e.g., Nginx or Traefik).
Note: The proxy also provides a number of useful endpoints for monitoring and management.