We're running Jenkins behind an instance of bitly's oauth2_proxy, to control access using Google accounts. We recently updated to a newer version, and as soon as security was enabled we got an NPE from the plugin:
Looking at the code, it became clear that the proxy was sending a basic auth header, as well as the X-Forwarded ones, which caused the error after looking up a non-existent user.
I'm reporting this as a bug because of the NPE, but I don't really know what the "correct" behaviour should be. Obviously, from my perspective, I'd prefer the duff header to be ignored, and the other headers used. But I can accept the viewpoint that if the header is sent, and invalid, it is treated as an unauthorised request.
Please let me know if you need any more info.