oauth2-proxy [Bug]: oidc-allow-unverified-email ignored when using extra-jwt-issuers

[Bug]: oidc-allow-unverified-email ignored when using extra-jwt-issuers

Open guillaumesmo opened this issue 1 year ago • 0 comments

OAuth2-Proxy Version

6, 7

Provider

keycloak-oidc

Expected Behaviour

Same behaviour as the main issuer: token accepted regardless of email verified status.

Current Behaviour

403 with following error in the logs:

Error retrieving session from token in Authorization header: email in id_token (d6f1521d-f0d0-4031-aff4-10fb36e1165e) isn't verified

Steps To Reproduce

environment: 
  OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL: 'true'
#or
command: --insecure-oidc-allow-unverified-email=true

combined with:

OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS: 'true'
OAUTH2_PROXY_OIDC_ISSUER_URL: https://host/realms/main=aud
OAUTH2_PROXY_EXTRA_JWT_ISSUERS: https://host/realms/other=aud

make a call with Bearer Authorization with main issuer: token accepted make a call with Bearer Authorization with other issuer: 403

Possible Solutions

No response

Configuration details or additional information

No response

Feb 19 '24 16:02 guillaumesmo

oauth2-proxy oauth2-proxy copied to clipboard

[Bug]: oidc-allow-unverified-email ignored when using extra-jwt-issuers

OAuth2-Proxy Version

Provider

Expected Behaviour

Current Behaviour

Steps To Reproduce

Possible Solutions

Configuration details or additional information

oauth2-proxy
oauth2-proxy copied to clipboard