[oidc] JWT auth failures respond with HTTP 500 instead of 401

[enote-kane]

Describe the bug

When JWT authorization validation fails, the HTTP response status is 500 instead of the standard 401.

To Reproduce

Steps to reproduce the behavior:

1. configure OIDC auth for provider A
2. get a JWT from provider B
3. try to access a file using the JWT from provider B
4. See 500 error response

Expected behavior

Whenever authorization fails, the response status should be set to 401, since it is not a server side error at all.

The same applies to any other concrete JWT validation error case, e.g.:

• wrong signature
• access token expired
• wrong scope

Screenshots

Example for a wrong issuer:

curl -v -H "Authorization: Bearer $TOKEN" 'http://localhost:8080/v1/__REDACTED__'
*   Trying [::1]:8080...
* Connected to localhost (::1) port 8080
> GET /v1/__REDACTED__ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.4.0
> Accept: */*
> Authorization: Bearer __REDACTED__
> 
< HTTP/1.1 500 Internal Server Error
< Cache-Control: no-cache, no-store, no-transform, must-revalidate, private, max-age=0
< Content-Type: text/html; charset=utf-8
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< X-Accel-Expires: 0
< Date: Wed, 22 Nov 2023 16:40:16 GMT
< Content-Length: 225
< 
<!DOCTYPE html>
<html>
  <body>
    <h1>Internal Server Error</h1>
    <p>oidc: id token issued by a different provider, expected "__ISSUER_A__" got "__ISSUER_B__"</p>
  </body>
</html>
* Connection #0 to host localhost left intact

Version and platform (please complete the following information):

• Docker
• Version: 4.12

Additional context

Add any other context about the problem here.

[oxyno-zeta]

Hello @enote-kane ,

Thanks for your issue. You are right. This needs to be changed. This will required a bit of rework to allow 500 in some cases and 401 in majority. I don't know when I will have the time to do it sorry.

Oxyno-zeta

[oxyno-zeta]

This should be closed now. Sorry for the delay.