Bearer token for upstream server with NGINX reverse proxy. Is the header being stripped?

Question

I have a Tomcat server that is behind an NGINX reverse proxy applying SSL. There is a bearer token in place for API calls on the Tomcat server, but I am getting a 401 error when I send this token to an endpoint in Postman. The proxy otherwise works flawlessly.

I've spent way too long troubleshooting this, but I've only looked at my proxy settings. I discovered last night that the proxy should be forwarding Authentication headers to the upstream Tomcat server, so now I'm lost as to how to troubleshoot this. Has anyone encountered this before or can point me in the right direction? This is outside of my normal scope so I'm a little out of my element.

EDIT - Even when I force the header with the Bearer token using "proxy_set_header Authorization "Bearer $ID_TOKEN";" it still returns the 401 error. Is it maybe adding something it shouldn't like a second Authorization header, or appending the Authorization header?

EDIT2 - Tomcat error logs show:

[{"time":"2021-05-14 19:01:10.069","description":"Request header did not include a token."}]

Answer 1

If you are not using the auth_request module for NGINX then it should be fairly easy to simply pass the Authorization headers as followed:

proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization; 

If this doesn't work i will really need to see more of your NGINX configuration and I would strongly suggest to use the NGINX auth_request module to handle all oAuth on the NGINX server itself.