nats-io · istvan-andrasi · Nov 4, 2025
@@ -23,6 +23,7 @@ import (
 	"unicode"
 
 	"github.com/nats-io/jwt/v2"
+	"github.com/nats-io/nats.go/micro"
 	"github.com/nats-io/nkeys"
 )
 
@@ -79,7 +80,14 @@ func (s *Server) processClientOrLeafCallout(c *client, opts *Options, proxyRequi
 
 	decodeResponse := func(rc *client, rmsg []byte, acc *Account) (*jwt.UserClaims, error) {
 		account := acc.Name
-		_, msg := rc.msgParts(rmsg)
+		hdr, msg := rc.msgParts(rmsg)
+		if hdr != nil {
+			code := sliceHeader(micro.ErrorCodeHeader, hdr)
+			desc := sliceHeader(micro.ErrorHeader, hdr)
+			if code != nil || desc != nil {
+				return nil, fmt.Errorf("auth callout service returned an error: %s: %s", code, desc)
+			}
+		}
 
 		// This signals not authorized.
 		// Since this is an account subscription will always have "\r\n".

@@ -31,6 +31,7 @@ import (
 
 	"github.com/nats-io/jwt/v2"
 	"github.com/nats-io/nats.go"
+	"github.com/nats-io/nats.go/micro"
 	"github.com/nats-io/nkeys"
 )
 
@@ -2492,3 +2493,65 @@ func TestAuthCalloutProxyRequiredInUserNotInAuthJWT(t *testing.T) {
 	// Auth callout should have been invoked once.
 	require_Equal(t, 1, int(invoked.Load()))
 }
+
+func TestAuthCalloutErrorInHeader(t *testing.T) {
+	srv, _ := RunServerWithConfig(createConfFile(t, []byte(`
+		listen: "127.0.0.1:-1"
+		server_name: A
+		accounts {
+			AUTH: {
+				users: [ { user: auth, password: auth } ]
+			}
+			APP: {
+				users: [ { user: user, password: pass } ]
+			}
+			SYS: {}
+		}
+		system_account: SYS
+
+		authorization {
+			timeout: 1s
+			auth_callout {
+				issuer: "`+authCalloutIssuer+`"
+				auth_users: [ auth ]
+				account: AUTH
+			}
+		}
+	`)))
+	t.Cleanup(srv.WaitForShutdown)
+	t.Cleanup(srv.Shutdown)
+
+	authConn, err := nats.Connect(srv.ClientURL(), nats.UserInfo("auth", "auth"))
+	require_NoError(t, err)
+	t.Cleanup(authConn.Close)
+
+	authErrSub, err := authConn.SubscribeSync(authErrorAccountEventSubj)
+	require_NoError(t, err)
+
+	_, err = micro.AddService(authConn, micro.Config{
+		Name:        "AuthCalloutError",
+		Version:     "0.1.0",
+		Description: "Returns an authorization error as service error message headers.",
+		Endpoint: &micro.EndpointConfig{
+			Subject: AuthCalloutSubject,
+			Handler: micro.HandlerFunc(func(req micro.Request) {
+				req.Error("500", "custom error message", nil)
+			}),
+		},
+	})
+	require_NoError(t, err)
+
+	_, err = nats.Connect(srv.ClientURL(), nats.UserInfo("user", "pass"))
+	require_Error(t, err)
+
+	msg, err := authErrSub.NextMsg(time.Second)
+	require_NoError(t, err)
+
+	var dmsg DisconnectEventMsg
+	err = json.Unmarshal(msg.Data, &dmsg)
+	require_NoError(t, err)
+
+	if !strings.Contains(dmsg.Reason, "500: custom error message") {
+		t.Fatalf("reason %q does not contain %q", dmsg.Reason, "500: custom error message")
+	}
+}