Having real trouble with forwardAuth not passing Authorization header

Hi there, I have used Traefik a number of times in the past with 3rd party services without issue. I am not trying to get a new app up and running, and would like to use the forward auth feature, but it seems to be stripping out the authorization header. Here is my compose file:

version: '3'

services:
  points-service:
    build: points-service
    command: ./start.sh
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.points-service.rule=Host(`points.dev.localhost`)"
      - "traefik.http.routers.points-service.entrypoints=web"
      - "traefik.http.routers.points-service.middlewares=pointsauth"
      - "traefik.http.middlewares.pointsauth.forwardauth.address=http://user-service:5002/validate-jwt"
      - "traefik.http.middlewares.pointsauth.forwardauth.trustforwardheader=true"
      - "traefik.http.middlewares.pointsauth.forwardauth.authresponseheaders=X-Forwarded-User"
      - "traefik.http.middlewares.pointsauth.forwardauth.authrequestheaders=Accept,Authorization"
    environment:
      DATABASE_URL: postgres://postgres:password@trigpoints-db:5432/postgres
      SERVICE_NAME: "points-service"
      SERVICE_VERSION: "v1.0"
    depends_on:
      - points-db
    networks:
      - default
    ports:
      - "5000:5000"

  points-db:
    image: postgres:13
    environment:
      POSTGRES_PASSWORD: password
    volumes:
      - points-postgres-data:/var/lib/postgresql/data
    networks:
      - default

  user-service:
    build: ./user-service
    command: ./start.sh
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.user-service.rule=Host(`user.dev.localhost`)"
      - "traefik.http.routers.user-service.entrypoints=web"
    environment:
      DATABASE_URL: postgres://postgres:password@user-db:5432/postgres
      SERVICE_NAME: "user-service"
      SERVICE_VERSION: "v1.0"
    depends_on:
      - user-db
    networks:
      - default
    ports:
      - "5002:5002"
      - "9229:9229"

  user-db:
    image: postgres:13
    environment:
      POSTGRES_PASSWORD: password
    volumes:
      - ./user-service/init.sql:/docker-entrypoint-initdb.d/init.sql
      - user-postgres-data:/var/lib/postgresql/data
    networks:
      - default

  traefik:
    image: traefik:v2.10.4
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "traefik.log.level=DEBUG"
    ports:
      - "80:80"       
      - "8080:8080"    
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    depends_on:
      - user-service
      - points-service

volumes:
  user-postgres-data:
  points-postgres-data:

networks:
  default:

Am I missing something obvious? I can see the header in the request being sent, but it is missing in request when it hits the backend server? could it be something to do with CORS? I see OPTIONS mentioned in the request in the browser dev tools. Also if I send a request from postman to the service via Traefik I can see the header. Really stuck with this now.

What do you mean?

Does this help? (Doc)

The authResponseHeaders option is the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.

It is the request that I am having trouble with.

You are missing X-Forwarded-User in the request to your target service? Is it included in the ForwardAuth service response?