Secondary Auth via ext-jwt-signer fails #919
Description
Context here https://openziti.discourse.group/t/keycloak-idp-as-secondary-auth/5143/3
Steps to reproduce:
- setup ext-jwt-signer, verify it's setup and works for primary auth
- create auth policy that has cert-based primary auth only (not ext-jwt-signer) and requires the validated ext-jwt-signer as secondary auth
- assign auth policy to user
- attempt to auth
Observe error on controller that appears to indicate primary ext-jwt auth is being performed:
"error":"primary external jwt processing failed on authentication policy [ukNZvLkSy4J2B2BUmaXVt]: primary external jwt authentication on auth policy is disabled"
Hypothesis is the c sdk needs to send two auth headers in HA/OIDC auth flow or two different headers (apisession/secondary auth) for legacy