How to handle failed login / nothing to sign?

[jessdwitch]

Environment info:

• KrakenD version: 2.3.3
• System info: Darwin 23.6.0 arm64
• Hardware specs: 10 cores; 16GB RAM
• Backend technology: Go
• Additional environment information:

Describe what are you trying to do:
What is the correct way to configure a signer for a login endpoint? The issue I'm having is that when a user enters invalid credentials, the backend returns an error message and a 401. KrakenD then forwards a 400 to the frontend because it tries to find the token key in the payload, can't, errors, and changes the response to a generic error. I can follow that logic, but it makes it impossible to follow IETF standard for returning a 401 on bad login, so I feel like I'm missing something. What do I need to change in my config to make this return the correct status code?

I've tried changing the backend response in a few ways as well: removing the token attribute; keeping it in, but having it be null; or having it be an empty body. All produce the same result.

Your configuration file:

The relevant part:

{
          "endpoint": "/v3/auth/session",
          "method": "POST",
          "output_encoding": "json",
          "extra_config": {
            "auth/signer": {
              "alg": "RS256",
              "jwk_url": "http://auth/.well-known/private.json",
              "disable_jwk_security": true,
              "kid": "testkid",
              "keys_to_sign": [
                "token"
              ]
            }
          },
          "backend": [
            {
              "url_pattern": "/api/v1/session",
              "encoding": "json",
              "method": "POST",
              "host": [
                "http://auth:80"
              ]
            }
          ]
        }