s3-proxy
s3-proxy copied to clipboard
[oidc] JWT auth failures respond with HTTP 500 instead of 401
Describe the bug
When JWT authorization validation fails, the HTTP response status is 500 instead of the standard 401.
To Reproduce
Steps to reproduce the behavior:
- configure OIDC auth for provider A
- get a JWT from provider B
- try to access a file using the JWT from provider B
- See 500 error response
Expected behavior
Whenever authorization fails, the response status should be set to 401, since it is not a server side error at all.
The same applies to any other concrete JWT validation error case, e.g.:
- wrong signature
- access token expired
- wrong scope
Screenshots
Example for a wrong issuer:
curl -v -H "Authorization: Bearer $TOKEN" 'http://localhost:8080/v1/__REDACTED__'
* Trying [::1]:8080...
* Connected to localhost (::1) port 8080
> GET /v1/__REDACTED__ HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/8.4.0
> Accept: */*
> Authorization: Bearer __REDACTED__
>
< HTTP/1.1 500 Internal Server Error
< Cache-Control: no-cache, no-store, no-transform, must-revalidate, private, max-age=0
< Content-Type: text/html; charset=utf-8
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Pragma: no-cache
< X-Accel-Expires: 0
< Date: Wed, 22 Nov 2023 16:40:16 GMT
< Content-Length: 225
<
<!DOCTYPE html>
<html>
<body>
<h1>Internal Server Error</h1>
<p>oidc: id token issued by a different provider, expected "__ISSUER_A__" got "__ISSUER_B__"</p>
</body>
</html>
* Connection #0 to host localhost left intact
Version and platform (please complete the following information):
- Docker
- Version: 4.12
Additional context
Add any other context about the problem here.