forward_auth config is parsed (and its policies already drive JWT route rules) but the verification endpoint it advertises is not served. Implement it so the proxy can act as an external auth gate for a fronting reverse proxy (nginx auth_request / Traefik forwardAuth).
Scope (when auth.mode == jwt and forward_auth.enabled)
- Serve the endpoint at
forward_auth.path (default /auth/verify). It validates the request's Bearer token and evaluates the configured route policies against the original request, taken from the fronting proxy's X-Forwarded-Method / X-Forwarded-Uri (falling back to X-Original-Method / X-Original-URI, then the verify request's own method/path).
- 200 when allowed, echoing the configured claim headers (e.g.
x-forwarded-user) so the fronting proxy copies the verified identity upstream.
- 401 when unauthenticated (adds
Location: forward_auth.login_url when configured, for error-page redirects); 403 when authenticated but missing a required role.
- The endpoint is public (not behind the JWT middleware itself).
Refactor the auth decision (token → policy → claims) into one reusable function so the middleware and the verify endpoint share a single source of truth.
Out of scope (separate roadmap items)
External gRPC AuthZ (authz), BFF sessions (bff), and multi-application configs (applications_path).
Acceptance
- Unit tests: 200 + claim headers, 401 (with/without login_url), 403, original method/path from forwarded headers; middleware behavior unchanged.
- README: forward-auth endpoint under Features.
Estimate: 6h
forward_authconfig is parsed (and itspoliciesalready drive JWT route rules) but the verification endpoint it advertises is not served. Implement it so the proxy can act as an external auth gate for a fronting reverse proxy (nginxauth_request/ TraefikforwardAuth).Scope (when auth.mode == jwt and forward_auth.enabled)
forward_auth.path(default/auth/verify). It validates the request'sBearertoken and evaluates the configured routepoliciesagainst the original request, taken from the fronting proxy'sX-Forwarded-Method/X-Forwarded-Uri(falling back toX-Original-Method/X-Original-URI, then the verify request's own method/path).x-forwarded-user) so the fronting proxy copies the verified identity upstream.Location: forward_auth.login_urlwhen configured, for error-page redirects); 403 when authenticated but missing a required role.Refactor the auth decision (token → policy → claims) into one reusable function so the middleware and the verify endpoint share a single source of truth.
Out of scope (separate roadmap items)
External gRPC AuthZ (
authz), BFF sessions (bff), and multi-application configs (applications_path).Acceptance
Estimate: 6h