- Any request passing through the proxy (and not matched by
--skip-auth-regex) is checked for the proxy's session cookie (
--cookie-name) (or, if allowed, a JWT token - see
- If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with
Accept: application/json, in which case 401 Unauthorized is returned)
- After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
- The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)
Notice that the proxy also provides a number of useful endpoints.