Skip to content

providers/proxy: fix missing JWT/claims header#17759

Merged
BeryJu merged 4 commits intomainfrom
providers/proxy/fix-missing-jwt-header
Oct 28, 2025
Merged

providers/proxy: fix missing JWT/claims header#17759
BeryJu merged 4 commits intomainfrom
providers/proxy/fix-missing-jwt-header

Conversation

@BeryJu
Copy link
Member

@BeryJu BeryJu commented Oct 28, 2025
edited
Loading

raw JWT was not correctly de-serialized when loading session

also fix other fields not being correctly serialized

fixes #17750
fixes #17753

BeryJu added 2 commits October 28, 2025 14:28
@BeryJu
replace interface{} with any
9080683 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix raw token not saved to map or json
322f0a7 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu BeryJu requested a review from dominic-r October 28, 2025 13:29
@BeryJu BeryJu self-assigned this Oct 28, 2025
@BeryJu BeryJu requested a review from a team as a code owner October 28, 2025 13:29
@netlify
Copy link

netlify bot commented Oct 28, 2025
edited
Loading

Deploy Preview for authentik-docs canceled.

Name Link
🔨 Latest commit f3525a4
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/6900c7f7b86f4100075c8fad

@netlify
Copy link

netlify bot commented Oct 28, 2025
edited
Loading

Deploy Preview for authentik-storybook canceled.

Name Link
🔨 Latest commit f3525a4
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/6900c7f731cb9b000893a667

@netlify
Copy link

netlify bot commented Oct 28, 2025
edited
Loading

Deploy Preview for authentik-integrations canceled.

Name Link
🔨 Latest commit f3525a4
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/6900c7f70fdf100008db0acc

@codecov
Copy link

codecov bot commented Oct 28, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.93%. Comparing base (e8013bf) to head (f3525a4).
⚠️ Report is 2 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #17759      +/-   ##
==========================================
+ Coverage   92.68%   92.93%   +0.25%     
==========================================
  Files         869      869              
  Lines       47949    47949              
==========================================
+ Hits        44443    44563     +120     
+ Misses       3506     3386     -120
Flag Coverage Δ
e2e 45.20% <ø> (+1.41%) ⬆️
integration 23.18% <ø> (+<0.01%) ⬆️
unit 91.07% <ø> (+<0.01%) ⬆️
unit-migrate 91.12% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

BeryJu added 2 commits October 28, 2025 14:35
@BeryJu
also fix proxy claims
8b4d61f 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@BeryJu
fix test
f3525a4 
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
dominic-r
dominic-r reviewed Oct 28, 2025
View reviewed changes
internal/outpost/proxyv2/application/auth_test.go
// Convert map to Claims using mapstructure marshaling (like getClaimsFromSession does)
var claims types.Claims
err = json.Unmarshal(jsonData, &claims)
err := mapstructure.Decode(claimsMap, &claims)
Copy link
Member

@dominic-r dominic-r Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

more mapstructure, good catch

@BeryJu BeryJu changed the title providers/proxy: fix missing JWT header providers/proxy: fix missing JWT/claims header Oct 28, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 28, 2025
edited
Loading

authentik PR Installation instructions

Instructions for docker-compose

Add the following block to your .env file:

AUTHENTIK_IMAGE=ghcr.io/goauthentik/dev-server
AUTHENTIK_TAG=gh-f3525a4e0a3bf5d06c0fcaf9dd5fa5b1334e16d1
AUTHENTIK_OUTPOSTS__CONTAINER_IMAGE_BASE=ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s

Afterwards, run the upgrade commands from the latest release notes.

Instructions for Kubernetes

Add the following block to your values.yml file:

authentik:
    outposts:
        container_image_base: ghcr.io/goauthentik/dev-%(type)s:gh-%(build_hash)s
global:
    image:
        repository: ghcr.io/goauthentik/dev-server
        tag: gh-f3525a4e0a3bf5d06c0fcaf9dd5fa5b1334e16d1

Afterwards, run the upgrade commands from the latest release notes.

@BeryJu BeryJu merged commit e723573 into main Oct 28, 2025
99 checks passed
@BeryJu BeryJu deleted the providers/proxy/fix-missing-jwt-header branch October 28, 2025 14:14
@github-project-automation github-project-automation bot moved this from Todo to Done in authentik Core Oct 28, 2025
@BeryJu BeryJu added the backport/version-2025.10 Add this label to PRs to backport changes to version-2025.10 label Oct 28, 2025
authentik-automation bot pushed a commit that referenced this pull request Oct 28, 2025
@BeryJu @authentik-automation
providers/proxy: fix missing JWT/claims header (#17759)
6c26141 
* replace interface{} with any

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix raw token not saved to map or json

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* also fix proxy claims

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

* fix test

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
@authentik-automation authentik-automation bot mentioned this pull request Oct 28, 2025
Merged
@authentik-automation
Copy link
Contributor

authentik-automation bot commented Oct 28, 2025

🍒 Cherry-pick to version-2025.10 created: #17764

BeryJu added a commit that referenced this pull request Oct 28, 2025
@authentik-automation @BeryJu
providers/proxy: fix missing JWT/claims header (cherry-pick #17759 to…
2791d87 
… version-2025.10) (#17764)

providers/proxy: fix missing JWT/claims header (#17759)

* replace interface{} with any



* fix raw token not saved to map or json



* also fix proxy claims



* fix test



---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
@B4dM4n B4dM4n mentioned this pull request Oct 28, 2025
Merged
13 tasks
@BeryJu BeryJu mentioned this pull request Oct 28, 2025
Closed
This was referenced Oct 28, 2025
Closed
Closed
@kettenbach-it kettenbach-it mentioned this pull request Oct 30, 2025
Closed
@BeryJu BeryJu mentioned this pull request Oct 30, 2025
Closed
@rissson rissson mentioned this pull request Nov 3, 2025
Closed
kensternberg-authentik added a commit that referenced this pull request Nov 10, 2025
@kensternberg-authentik
Merge branch 'main' into dev
0845cc4 
* main: (28 commits)
  ci: use hashes for actions everywhere (#17803)
  website/integrations: fixed paperless-ngx yml syntax issue and added additional info (#17739)
  core, web: update translations (#17782)
  ci: rework internal repo (#17797)
  root: use hashes for dockerfile FROM (#17795)
  web: bump validator from 13.15.15 to 13.15.20 in /packages/prettier-config (#17776)
  tasks: delay startup signals (#17769)
  website: bump the build group in /website with 6 updates (#17712)
  core, web: update translations (#17660)
  web: bump vite from 7.1.11 to 7.1.12 in /web (#17689)
  website: bump validator from 13.15.15 to 13.15.20 in /website (#17741)
  web: bump eslint-plugin-react-hooks from 7.0.0 to 7.0.1 in /packages/eslint-config in the eslint group across 1 directory (#17714)
  web: bump validator from 13.15.15 to 13.15.20 in /packages/eslint-config (#17742)
  packages/django-postgres-cache: use upsert instead of select/update in a transaction (#17760)
  providers/radius: fix panic when no cert is configured (#17762)
  sources/oauth: Make PKCE verifier 128 characters (#17763)
  providers/proxy: fix missing JWT/claims header (#17759)
  providers/proxy: add gorm logging (#17758)
  web: bump the sentry group across 1 directory with 2 updates (#17743)
  root: Add Dockerfile label org.opencontainers.image.source (#17756)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dominic-r dominic-r dominic-r approved these changes

Assignees

@BeryJu BeryJu

Labels

area:backend backport/version-2025.10 Add this label to PRs to backport changes to version-2025.10

Projects

authentik Core
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Scope mapping for proxy / additional header does not work any more with 2025.10.0 x-authentik-jwt header empty after upgrade to 2025.10.0

2 participants

@BeryJu @dominic-r