For some reason, I thought this behaviour made it to the upstream, till I re-read the official ngx_http_auth_request documentation and realized it doesn't pass through 3xx or headers other than WWW-Authenticate:
The ngx_http_auth_request_module module (1.5.4+) implements
client authorization based on the result of a subrequest.
If the subrequest returns a 2xx response code, the access
is allowed. If it returns 401 or 403, the access is
denied with the corresponding error code. Any other
response code returned by the subrequest is considered
an error. For the 401 error, the client also receives
the “WWW-Authenticate” header from the subrequest response.
Here is a config that does something like this: https://github.com/wrr/wwwhisper/blob/master/nginx/wwwhisper... (deployed here: https://io-mixedbit.rhcloud.com)
(Sorry for the late reply)