I had some success doing the intercept at the next level above the auth proxy location like this:
(using grpc_intercept_errors)
server {
listen 443 ssl http2;
include grpc_servers.conf;
# send all requests to the `/validate` endpoint for authorization
auth_request /validate;
grpc_intercept_errors on;
error_page 401 @grpc_auth_fail;
location = /validate {
proxy_pass http://auth:5000;
#proxy_intercept_errors on;
#error_page 401 @grpc_auth_fail;
}
location @grpc_auth_fail {
add_trailer grpc-status 16 always;
add_header grpc-status 16 always;
add_trailer grpc-message Unauthorized always;
add_header grpc-message Unauthorized always;
return 200;
}
}