Avoid using auth_jwt_require

Author: lcrilly

README.md

@@ -199,13 +199,14 @@ Any errors generated by the OpenID Connect flow are logged to the error log, `/v
     * Check for `could not be resolved` and `empty JWK set while sending to client` messages in the error log. This is common when NGINX Plus cannot reach the IdP's `jwks_uri` endpoint.
     * Check the `map…$oidc_jwt_keyfile` variable is correct.
     * Check the `resolver` directive in **openid_connect.server_conf** is reachable from the NGINX Plus host.
-    * Check for `OIDC authorization code sent but token response is not JSON.` messages in the error log. This is common when NGINX Plus cannot decompress the IdP's response. Try add the following configuration snippet to the `/_jwks_uri` and `/_token` locations in the openid_connect.server_conf file.
+    * Check for `OIDC authorization code sent but token response is not JSON.` messages in the error log. This is common when NGINX Plus cannot decompress the IdP's response. Add the following configuration snippet to the `/_jwks_uri` and `/_token` locations to **openid_connect.server_conf**:
 ```nginx
-proxy_set_header Accept-Encoding "gzip";
+    proxy_set_header Accept-Encoding "gzip";
 ```
 
   * **Authentication is successful but browser shows too many redirects**
     * This is typically because the JWT sent to the browser cannot be validated, resulting in 'authorization required' `401` response and starting the authentication process again. But the user is already authenticated so is redirected back to NGINX,  hence the redirect loop.
+    * Avoid using `auth_jwt_require` directives in your configuration because this can also return a `401` which is indistinguishable from missing/expired JWT.
     * Check the error log `/var/log/nginx/error.log` for JWT/JWK errors.
     * Ensure that the JWK file (`map…$oidc_jwt_keyfile` variable) is correct and that the nginx user has permission to read it.