Having issues while trying to protect server with OIDC RP

[b-rajesh]

Hi

When i am trying to protect the server (instead of location) with OIDC RP reference implementation , login flow is not kicking off. It works fine if we have the following defined in the location block works fine as mentioned in the reference implementation
error_page 401 = @do_oidc_flow;
auth_jwt "authz" token=$session_jwt;
auth_jwt_key_request /_jwks_uri; # Enable when using filename

Since the auth_jwt is defined in the server block , the named location is also being protected . I was directed to use
auth_jwt off;
in the openid_connect.server_conf

Can we fix the openid_connect.server_conf to have the same ? though the reference implementation doesn't have this challenge, it would helpful if anyone wanted to protect the whole server to with the given config.

[tippexs]

Hi @b-rajesh sorry for the late response. As discussed back in July I do not have any security concerns disabling the jwt protection for the locations handling the authentication.

Did you do any testing with the suggested solution?