Preflight checklist
Ory Network Project
No response
Describe the bug
When Oathkeeper is used in decision mode (e.g., as a forwardAuth backend for Traefik), query parameters from the original request URL are discarded. This breaks any authenticator configured with token_from.query_parameter, such as extracting a JWT from ?token=<jwt>.
Reproducing the bug
- Configure an access rule with a jwt authenticator using
token_from.query_parameter:
authenticators:
- handler: jwt
config:
token_from:
query_parameter: token
-
Send a request through the decision API with a signed JWT in the query string:
GET /decisions
X-Forwarded-Proto: https
X-Forwarded-Host: api.example.com
X-Forwarded-Uri: /api/resource?token=eyJhbGciOiJSUzI1NiIs...
X-Forwarded-Method: GET
-
Oathkeeper returns 401 Unauthorized — no authenticator matches, because the jwt authenticator never sees the token query parameter.
Relevant log output
Relevant configuration
Version
v0.40.9
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
This was introduced in #1025 to fix #1003
Preflight checklist
Ory Network Project
No response
Describe the bug
When Oathkeeper is used in decision mode (e.g., as a forwardAuth backend for Traefik), query parameters from the original request URL are discarded. This breaks any authenticator configured with
token_from.query_parameter, such as extracting a JWT from?token=<jwt>.Reproducing the bug
token_from.query_parameter:Send a request through the decision API with a signed JWT in the query string:
GET /decisions
X-Forwarded-Proto: https
X-Forwarded-Host: api.example.com
X-Forwarded-Uri: /api/resource?token=eyJhbGciOiJSUzI1NiIs...
X-Forwarded-Method: GET
Oathkeeper returns 401 Unauthorized — no authenticator matches, because the jwt authenticator never sees the token query parameter.
Relevant log output
Relevant configuration
Version
v0.40.9
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Kubernetes with Helm
Additional Context
This was introduced in #1025 to fix #1003