Skip to content

providers/proxy: fix missing JWT/claims header #17759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Oct 28, 2025
Merged

providers/proxy: fix missing JWT/claims header #17759

merged 4 commits into from
Oct 28, 2025

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Oct 28, 2025
edited
Loading

raw JWT was not correctly de-serialized when loading session

also fix other fields not being correctly serialized

fixes #17750
fixes #17753

BeryJu added 2 commits October 28, 2025 14:28
@BeryJu
replace interface{} with any
9080683 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix raw token not saved to map or json
322f0a7 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu requested a review from dominic-r October 28, 2025 13:29
@BeryJu BeryJu self-assigned this Oct 28, 2025
@BeryJu BeryJu requested a review from a team as a code owner October 28, 2025 13:29
@netlify
Copy link

netlify bot commented Oct 28, 2025
edited
Loading

Deploy Preview for authentik-docs canceled.

Name Link
🔨 Latest commit f3525a4
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6900c7f7b86f4100075c8fad

@netlify
Copy link

netlify bot commented Oct 28, 2025
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit f3525a4
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/6900c7f731cb9b000893a667

@netlify
Copy link

netlify bot commented Oct 28, 2025
edited
Loading

Deploy Preview for authentik-integrations canceled.

Name Link
🔨 Latest commit f3525a4
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/6900c7f70fdf100008db0acc

@codecov
Copy link

codecov bot commented Oct 28, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.93%. Comparing base (e8013bf) to head (f3525a4).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #17759      +/-   ##
==========================================
+ Coverage   92.68%   92.93%   +0.25%     
==========================================
  Files         869      869              
  Lines       47949    47949              
==========================================
+ Hits        44443    44563     +120     
+ Misses       3506     3386     -120
Flag Coverage Δ
e2e 45.20% <ø> (+1.41%) ⬆️
integration 23.18% <ø> (+<0.01%) ⬆️
unit 91.07% <ø> (+<0.01%) ⬆️
unit-migrate 91.12% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

BeryJu added 2 commits October 28, 2025 14:35
@BeryJu
also fix proxy claims
8b4d61f 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix test
f3525a4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
dominic-r
dominic-r reviewed Oct 28, 2025
View reviewed changes
internal/outpost/proxyv2/application/auth_test.go
// Convert map to Claims using mapstructure marshaling (like getClaimsFromSession does)
var claims types.Claims
err = json.Unmarshal(jsonData, &claims)
err := mapstructure.Decode(claimsMap, &claims)
Copy link
Member

@dominic-r dominic-r Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

more mapstructure, good catch

@BeryJu BeryJu changed the title providers/proxy: fix missing JWT header providers/proxy: fix missing JWT/claims header Oct 28, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 28, 2025
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-f3525a4e0a3bf5d06c0fcaf9dd5fa5b1334e16d1
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-f3525a4e0a3bf5d06c0fcaf9dd5fa5b1334e16d1

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu merged commit e723573 into main Oct 28, 2025
99 checks passed
@BeryJu BeryJu deleted the providers/proxy/fix-missing-jwt-header branch October 28, 2025 14:14
@github-project-automation github-project-automation bot moved this from Todo to Done in authentik Core Oct 28, 2025
@BeryJu BeryJu added the backport/version-2025.10 Add this label to PRs to backport changes to version-2025.10 label Oct 28, 2025
authentik-automation bot pushed a commit that referenced this pull request Oct 28, 2025
@BeryJu @authentik-automation
providers/proxy: fix missing JWT/claims header (#17759)
6c26141 
* replace interface{} with any

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix raw token not saved to map or json

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also fix proxy claims

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@authentik-automation authentik-automation bot mentioned this pull request Oct 28, 2025
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Oct 28, 2025

🍒 Cherry-pick to version-2025.10 created: #17764

BeryJu added a commit that referenced this pull request Oct 28, 2025
@authentik-automation @BeryJu
providers/proxy: fix missing JWT/claims header (cherry-pick #17759 to…
2791d87 
… version-2025.10) (#17764)

providers/proxy: fix missing JWT/claims header (#17759)

* replace interface{} with any



* fix raw token not saved to map or json



* also fix proxy claims



* fix test



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
@B4dM4n B4dM4n mentioned this pull request Oct 28, 2025
Merged
13 tasks
@BeryJu BeryJu mentioned this pull request Oct 28, 2025
Closed
This was referenced Oct 28, 2025
Closed
Closed
@kettenbach-it kettenbach-it mentioned this pull request Oct 30, 2025
Closed
@BeryJu BeryJu mentioned this pull request Oct 30, 2025
Closed
@rissson rissson mentioned this pull request Nov 3, 2025
Closed
kensternberg-authentik added a commit that referenced this pull request Nov 10, 2025
@kensternberg-authentik
Merge branch 'main' into dev
0845cc4 
* main: (28 commits)
  ci: use hashes for actions everywhere (#17803)
  website/integrations: fixed paperless-ngx yml syntax issue and added additional info (#17739)
  core, web: update translations (#17782)
  ci: rework internal repo (#17797)
  root: use hashes for dockerfile FROM (#17795)
  web: bump validator from 13.15.15 to 13.15.20 in /packages/prettier-config (#17776)
  tasks: delay startup signals (#17769)
  website: bump the build group in /website with 6 updates (#17712)
  core, web: update translations (#17660)
  web: bump vite from 7.1.11 to 7.1.12 in /web (#17689)
  website: bump validator from 13.15.15 to 13.15.20 in /website (#17741)
  web: bump eslint-plugin-react-hooks from 7.0.0 to 7.0.1 in /packages/eslint-config in the eslint group across 1 directory (#17714)
  web: bump validator from 13.15.15 to 13.15.20 in /packages/eslint-config (#17742)
  packages/django-postgres-cache: use upsert instead of select/update in a transaction (#17760)
  providers/radius: fix panic when no cert is configured (#17762)
  sources/oauth: Make PKCE verifier 128 characters (#17763)
  providers/proxy: fix missing JWT/claims header (#17759)
  providers/proxy: add gorm logging (#17758)
  web: bump the sentry group across 1 directory with 2 updates (#17743)
  root: Add Dockerfile label org.opencontainers.image.source (#17756)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dominic-r dominic-r dominic-r approved these changes

Assignees

@BeryJu BeryJu

Labels

area:backend backport/version-2025.10 Add this label to PRs to backport changes to version-2025.10

Projects

authentik Core
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scope mapping for proxy / additional header does not work any more with 2025.10.0 x-authentik-jwt header empty after upgrade to 2025.10.0

3 participants

@BeryJu @dominic-r