feat: Make 429 passthrough instead return 401

helper/errors.go

@@ -56,6 +56,11 @@ var (
 		CodeField:   http.StatusBadRequest,
 		StatusField: http.StatusText(http.StatusBadRequest),
 	}
+	ErrTooManyRequests = &herodot.DefaultError{
+		ErrorField:  "Too many requests",
+		CodeField:   http.StatusTooManyRequests,
+		StatusField: http.StatusText(http.StatusTooManyRequests),
+	}
 	ErrUpstreamServiceNotAvailable = &herodot.DefaultError{
 		ErrorField:  "The upstream service is not available",
 		CodeField:   http.StatusServiceUnavailable,

pipeline/authn/authenticator_cookie_session.go

@@ -204,6 +204,20 @@ func forwardRequestToSessionStore(client *http.Client, r *http.Request, cf Authe
 			return json.RawMessage{}, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to fetch cookie session context from remote: %+v", err))
 		}
 		return body, nil
+	} else if res.StatusCode == http.StatusTooManyRequests {
+		// Handle rate limiting - pass through the response
+		body, _ := io.ReadAll(res.Body)
+		err := helper.ErrTooManyRequests
+		if len(body) > 0 {
+			err = err.WithReasonf("%s", string(body))
+		}
+		// Pass through important rate limit headers
+		for _, header := range []string{"Retry-After", "X-RateLimit-Limit", "X-RateLimit-Remaining", "X-RateLimit-Reset", "X-RateLimit-Type"} {
+			if value := res.Header.Get(header); value != "" {
+				err = err.WithDetail(header, value)
+			}
+		}
+		return json.RawMessage{}, errors.WithStack(err)
 	} else {
 		return json.RawMessage{}, errors.WithStack(helper.ErrUnauthorized)
 	}

pipeline/authn/authenticator_oauth2_client_credentials.go

@@ -235,6 +235,8 @@ func (a *AuthenticatorOAuth2ClientCredentials) Authenticate(r *http.Request, ses
 		if err != nil {
 			if rErr, ok := err.(*oauth2.RetrieveError); ok {
 				switch httpStatusCode := rErr.Response.StatusCode; httpStatusCode {
+				case http.StatusTooManyRequests:
+					return errors.Wrap(helper.ErrTooManyRequests, err.Error())
 				case http.StatusServiceUnavailable:
 					return errors.Wrap(helper.ErrUpstreamServiceNotAvailable, err.Error())
 				case http.StatusInternalServerError:

pipeline/authn/authenticator_oauth2_introspection.go

@@ -220,7 +220,9 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session
 		}
 		defer resp.Body.Close() //nolint:errcheck
 
-		if resp.StatusCode != http.StatusOK {
+		if resp.StatusCode == http.StatusTooManyRequests {
+			return errors.WithStack(helper.ErrTooManyRequests)
+		} else if resp.StatusCode != http.StatusOK {
 			return errors.Errorf("Introspection returned status code %d but expected %d", resp.StatusCode, http.StatusOK)
 		}
 

pipeline/authz/keto_engine_acp_ory.go

@@ -166,7 +166,9 @@ func (a *AuthorizerKetoEngineACPORY) Authorize(r *http.Request, session *authn.A
 	}
 	defer res.Body.Close() //nolint:errcheck // response body close failure not actionable
 
-	if res.StatusCode == http.StatusForbidden {
+	if res.StatusCode == http.StatusTooManyRequests {
+		return errors.WithStack(helper.ErrTooManyRequests)
+	} else if res.StatusCode == http.StatusForbidden {
 		return errors.WithStack(helper.ErrForbidden)
 	} else if res.StatusCode != http.StatusOK {
 		return errors.Errorf("expected status code %d but got %d", http.StatusOK, res.StatusCode)

pipeline/authz/remote.go

@@ -122,7 +122,9 @@ func (a *AuthorizerRemote) Authorize(r *http.Request, session *authn.Authenticat
 	}
 	defer res.Body.Close() //nolint:errcheck // body close errors ignored in tests and handlers
 
-	if res.StatusCode == http.StatusForbidden {
+	if res.StatusCode == http.StatusTooManyRequests {
+		return errors.WithStack(helper.ErrTooManyRequests)
+	} else if res.StatusCode == http.StatusForbidden {
 		return errors.WithStack(helper.ErrForbidden)
 	} else if res.StatusCode != http.StatusOK {
 		return errors.Errorf("expected status code %d but got %d", http.StatusOK, res.StatusCode)

pipeline/authz/remote_json.go

@@ -142,7 +142,9 @@ func (a *AuthorizerRemoteJSON) Authorize(r *http.Request, session *authn.Authent
 	}
 	defer func() { _ = res.Body.Close() }()
 
-	if res.StatusCode == http.StatusForbidden {
+	if res.StatusCode == http.StatusTooManyRequests {
+		return errors.WithStack(helper.ErrTooManyRequests)
+	} else if res.StatusCode == http.StatusForbidden {
 		return errors.WithStack(helper.ErrForbidden)
 	} else if res.StatusCode != http.StatusOK {
 		return errors.Errorf("expected status code %d but got %d", http.StatusOK, res.StatusCode)

pipeline/errors/error_json.go

@@ -12,6 +12,7 @@ import (
 	"github.com/ory/x/httpx"
 
 	"github.com/ory/oathkeeper/driver/configuration"
+	"github.com/ory/oathkeeper/helper"
 	"github.com/ory/oathkeeper/pipeline"
 )
 
@@ -56,6 +57,8 @@ func (a *ErrorJSON) Handle(w http.ResponseWriter, r *http.Request, config json.R
 				handleError = herodot.ErrUnauthorized.WithTrace(handleError)
 			case http.StatusBadRequest:
 				handleError = herodot.ErrBadRequest.WithTrace(handleError)
+			case http.StatusTooManyRequests:
+				handleError = helper.ErrTooManyRequests.WithTrace(handleError)
 			case http.StatusUnsupportedMediaType:
 				handleError = herodot.ErrUnsupportedMediaType.WithTrace(handleError)
 			case http.StatusConflict:

proxy/request_handler.go

@@ -216,6 +216,9 @@ func (d *requestHandler) HandleRequest(r *http.Request, rl *rule.Rule) (session
 			case helper.ErrUnauthorized.ErrorField:
 				d.r.Logger().Info(err)
 				return nil, err
+			case helper.ErrTooManyRequests.ErrorField:
+				d.r.Logger().Info(err)
+				return nil, err
 			default:
 				d.r.Logger().WithError(err).
 					WithFields(fields).