What's happening
When a user enables both OIDC authentication and WAF protection on the same gateway, OIDC silently stops working. Requests pass through unauthenticated even though the SecurityPolicy shows as Accepted with no errors.
Why it matters
Users have no indication anything is wrong. The policy reports success, there are no error messages, and the gateway continues to serve traffic — it just doesn't enforce the login flow they configured.
Root cause
When WAF is enabled on a gateway, the platform patches each route to inject the WAF filter configuration. This patch overwrites the entire typed_per_filter_config on the route, which also removes the entry that enables the OIDC filter. The OIDC filter remains installed in the listener but is never activated for any route.
Steps to reproduce
- Create a gateway with a hostname
- Apply a SecurityPolicy with OIDC targeting the gateway
- Enable WAF protection on the same gateway (TrafficProtectionPolicy)
- Access the gateway — OIDC login is not triggered
Expected behavior
Both WAF and OIDC work together. Enabling one should not silently disable the other.
Fix
The WAF patch should add its filter config key to typed_per_filter_config rather than replacing the entire object. Changing the JSON patch path from /typed_per_filter_config to /typed_per_filter_config/coraza-waf will merge the WAF entry alongside any existing entries instead of overwriting them.
What's happening
When a user enables both OIDC authentication and WAF protection on the same gateway, OIDC silently stops working. Requests pass through unauthenticated even though the SecurityPolicy shows as Accepted with no errors.
Why it matters
Users have no indication anything is wrong. The policy reports success, there are no error messages, and the gateway continues to serve traffic — it just doesn't enforce the login flow they configured.
Root cause
When WAF is enabled on a gateway, the platform patches each route to inject the WAF filter configuration. This patch overwrites the entire
typed_per_filter_configon the route, which also removes the entry that enables the OIDC filter. The OIDC filter remains installed in the listener but is never activated for any route.Steps to reproduce
Expected behavior
Both WAF and OIDC work together. Enabling one should not silently disable the other.
Fix
The WAF patch should add its filter config key to
typed_per_filter_configrather than replacing the entire object. Changing the JSON patch path from/typed_per_filter_configto/typed_per_filter_config/coraza-wafwill merge the WAF entry alongside any existing entries instead of overwriting them.