feat: allow fallback when using JWT

pipeline/authn/authenticator_jwt.go

@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/pkg/errors"
@@ -79,6 +80,12 @@ func (a *AuthenticatorJWT) Authenticate(r *http.Request, session *Authentication
 		return errors.WithStack(ErrAuthenticatorNotResponsible)
 	}
 
+	// If the token is not a JWT, declare ourselves not responsible. This enables using fallback authenticators (i. e.
+	// bearer_token or oauth2_introspection) for different token types at the same location.
+	if len(strings.Split(token, ".")) != 3 {
+		return errors.WithStack(ErrAuthenticatorNotResponsible)
+	}
+
 	if len(cf.AllowedAlgorithms) == 0 {
 		cf.AllowedAlgorithms = []string{"RS256"}
 	}

pipeline/authn/authenticator_jwt_test.go

@@ -135,6 +135,13 @@ func TestAuthenticatorJWT(t *testing.T) {
 				expectErr:      true,
 				expectExactErr: ErrAuthenticatorNotResponsible,
 			},
+			{
+				d:              "should return error saying that authenticator is not responsible for validating the request, as the token provided is not a JWT",
+				r:              &http.Request{Header: http.Header{"X-Custom-Header": []string{"bm90LWp3dA=="}}}, // not-jwt
+				config:         `{"token_from": {"header": "X-Custom-Header"}}`,
+				expectErr:      true,
+				expectExactErr: ErrAuthenticatorNotResponsible,
+			},
 			{
 				d: "should pass because the valid JWT token was provided in a proper location (custom header)",
 				r: &http.Request{Header: http.Header{"X-Custom-Header": []string{gen(keys[1], jwt.MapClaims{