The recently added X-Name and X-Email headers cause issues in processing requests when the Extra.identity.traits claims are not returned upon authentication. Oathkeeper returns 500 response when it fails to parse the value of custom headers. This doesn't concern production auth-proxy use cases, but breaks a workaround used in traefik tests.
We use anonymous authentication handler in an access rule in this test as a workaround to check return headers without deploying identity platform. To make it work, oathkeeper should not attempt to parse headers that are not sent back by the anonymous handler. Note that eventually the IA proxy only returns headers specified in traefik forward-auth config, but oathkeeper tries to evaluate them anyways.
This PR fixes that by appending the extra headers only if explicitly requested by auth-proxy.
The recently added
X-NameandX-Emailheaders cause issues in processing requests when theExtra.identity.traitsclaims are not returned upon authentication. Oathkeeper returns 500 response when it fails to parse the value of custom headers. This doesn't concern productionauth-proxyuse cases, but breaks a workaround used in traefik tests.We use
anonymousauthentication handler in an access rule in this test as a workaround to check return headers without deploying identity platform. To make it work, oathkeeper should not attempt to parse headers that are not sent back by the anonymous handler. Note that eventually the IA proxy only returns headers specified in traefik forward-auth config, but oathkeeper tries to evaluate them anyways.This PR fixes that by appending the extra headers only if explicitly requested by
auth-proxy.