Title: Provide an option to allow errors and pass through
Description:
Today, there is a deny_redirect_matcher, which is useful for APIs where redirecting does not make sense (e.g. AJAX endpoint). For endpoints that are listed in deny_redirect_matcher, the behavior would be:
If access token exists and valid, succeed and pass to next filter
If access token is expired and refresh token exists, attempt to refresh the access token and set it to cookies
If refresh failed or refresh token is absent, sendLocalReply with an error message "OAuth flow failed."
While local reply is customizable using local reply modification, we still run into a use case where upstream service wants to handle the error themselves, i.e. we need an option that makes the 3rd bullet above become:
If refresh failed or refresh token is absent, pass through
Similarly, in JWT authentication filter, there is a JWT requirement rule called allow_missing_or_failed (doc), with which any missing or invalid jwt will pass through so the upstream service can handle the error themselves.
Title: Provide an option to allow errors and pass through
Description:
Today, there is a
deny_redirect_matcher
, which is useful for APIs where redirecting does not make sense (e.g. AJAX endpoint). For endpoints that are listed indeny_redirect_matcher
, the behavior would be:sendLocalReply
with an error message "OAuth flow failed."While local reply is customizable using local reply modification, we still run into a use case where upstream service wants to handle the error themselves, i.e. we need an option that makes the 3rd bullet above become:
Similarly, in JWT authentication filter, there is a JWT requirement rule called
allow_missing_or_failed
(doc), with which any missing or invalid jwt will pass through so the upstream service can handle the error themselves.