Version

edge

What Kubernetes platforms are you running on?

Kind

Steps to reproduce

As requested in #8069 I create a new issue (although I still think it is related to fetching of JWKs not being implemented correctly.

The generated configuration for fetching JWKs is

 location = /_jwks_uri_server_XXXX {
        internal;
        proxy_method GET;
        proxy_set_header Content-Length "";
        proxy_cache jwks_uri_XXXX;
        proxy_cache_valid 200 12h;
        proxy_set_header Host XXXX
        set $idp_backend XXXX;
        proxy_pass https://$idp_backend/jwks;
    }

Without the following headers set

proxy_pass_request_headers off;
proxy_pass_request_body off;

Both body and headers are passed to upstream. This will leak credentials such as tokens from upstream to the IdP and should be considered a security issue.

From the discussion in the original issue: Making the directives configurable, does not make sense in a normal scenario as JWKs are fetched unauthenticated.