dgn / oidc-filter Goto Github PK
View Code? Open in Web Editor NEWA WASM plugin for Envoy supporting the Open ID Connect Authorization Flow, extending Istio's JWT functionality
License: Apache License 2.0
A WASM plugin for Envoy supporting the Open ID Connect Authorization Flow, extending Istio's JWT functionality
License: Apache License 2.0
Hi @dgn
What is the proper way to make istio-proxy filesystem writable in order to copy wasm filter?
Usually you will get this error if you try to copy or create the folder
k exec pod podname -c istio-proxy -- mkdir -p /var/local/lib/wasm-filters/
mkdir: cannot create directory '/var/local/lib': Read-only file system
command terminated with exit code 1
We should at least verify that the examples work for every PR
@dgn
Do you know what might be the reason if I have a working example, then I do
and I have RBAC access denied
Hello,
nice project and very actual target to solve ajax redirect issues!
I tried to test the project with Okta as IdP, but request to /authorize endpoint fails with error on Okta side: "The authentication request has an invalid state parameter".
Okta documentation: https://developer.okta.com/docs/reference/api/oidc/#request-parameters
Okta requires the OAuth 2.0 state parameter on all requests to the /authorize endpoint to prevent cross-site request forgery (CSRF).
The OAuth 2.0 specification requires (opens new window)that clients protect their redirect URIs against CSRF by sending a value in the authorize request that binds the request to the user-agent's authenticated state.
Using the state parameter is also a countermeasure to several other known attacks as outlined in OAuth 2.0 Threat Model and Security Considerations.
The valid request URL example:
https://vinted.oktapreview.com/oauth2/aus1nt2tmuLH9y9mX0x7/v1/authorize?client_id=XxXxXxXxXxXxXx&scope=user&response_type=code&redirect_uri=https://localhost/callback&state=https://localhost/&resource=testing_resource_definition_okta_seems_to_ignore
If success you get redirected back:
https://localhost/callback?code=TRooS-0pD78Gm0zSyg_0t2K8_WIgzzkpGkwIeoUa6Xg&state=https%3A%2F%2Flocalhost%2F
Just in case my oidc-filter config
- name: envoy.filters.http.wasm
typed_config:
"@type": type.googleapis.com/udpa.type.v1.TypedStruct
type_url: type.googleapis.com/envoy.extensions.filters.http.wasm.v3.Wasm
value:
config:
name: oidc-filter
rootId: oidc-filter_root
configuration:
"@type": "type.googleapis.com/google.protobuf.StringValue"
value: |
{
"redirect_uri": "/callback",
"auth_cluster": "okta-cluster-https",
"auth_host": "winwin.oktapreview.com",
"token_uri": "/oauth2/aus1zi2tMuLkay9XX0x7/v1/token",
"login_uri": "https://winwin.oktapreview.com/oauth2/aus1zi2tMuLkay9XX0x7/v1/authorize",
"client_id": "0oa1ba2v832E9Xx120xe",
"client_secret": "ZzzzzzzzzzzzzzzzzzzzTOP"
}
vmConfig:
code:
local:
filename: /var/local/lib/wasm-filters/oidc.wasm
runtime: envoy.wasm.runtime.v8
vmId: oidc-filter
allow_precompiled: true
Thank you!
#enhancement
I like the oidc-filter code and have a question :
in response to auth code with client id/secret request, the token endpoint of openid-connect authorization server returns both access token and id_token. I see the oidc-filter code sets the id_token (also called JWT token in your description) in cookie and sets the token to the value of the authorization header for subsequence filter to verify it. I do not find any code to process the access token returned by the token endpoint of openid-connect authorization server. If it is processed in the code, could you please tell me where it is processed? if it is not processed, could you please tell me why the filter does not need to process it, such as verify or set the access token to the cookie?
running at Ubuntu 22.04, envoy version 1.24
[2023-07-13 08:29:10.292][178766][error][wasm] [source/extensions/common/wasm/context.cc:1186] wasm log oidc-filter oidc-filter_root oidc-filter: { "status": "error", "error": "Cannot dispatch call to cluster: InternalFailure" }
But it works on my Mac pro, envoy version 1.17, 1.21, 1.26.1
hi @dgn !
Is it possible to use wasm hub registry or mount wasm module instead of copying it directly to istio-proxy container?
Considering pods are ephemeral, there should be more elegant solution to keep wasm module mounted to istio-proxy.
Much appreciate your help!
Reference: https://github.com/dgn/oidc-filter/blob/master/example/deploy.sh#L16
It will be nice for most users that can test this filter on the K8s cluster more easier.
Hi @dgn ,
It seems this approach doesn't work with istio 1.7, probably you know some workarounds
istioctl version
client version: 1.7.2
control plane version: 1.7.2
data plane version: 1.7.2 (18 proxies)
2020-09-30T22:50:57.346838Z debug envoy connection [C902] closing data_to_write=143 type=2
2020-09-30T22:50:57.346856Z debug envoy connection [C902] setting delayed close timer with timeout 1000 ms
2020-09-30T22:50:57.346866Z debug envoy pool [C3] response complete
2020-09-30T22:50:57.346871Z debug envoy pool [C3] destroying stream: 0 remaining
2020-09-30T22:50:57.346954Z debug envoy connection [C902] write flush complete
2020-09-30T22:50:57.347105Z debug envoy connection [C902] remote early close
2020-09-30T22:50:57.347119Z debug envoy connection [C902] closing socket: 0
2020-09-30T22:50:57.347188Z debug envoy conn_handler [C902] adding to cleanup list
2020-09-30T22:50:57.744347Z debug envoy main flushing stats
2020-09-30T22:50:58.289883Z debug envoy http [C747] new stream
2020-09-30T22:50:58.290086Z debug envoy http [C747][S6519292591854974172] request headers complete (end_stream=true):
':authority', 'appwebform.example.com'
':path', '/'
':method', 'GET'
'cache-control', 'max-age=0'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
'sec-fetch-site', 'none'
'sec-fetch-mode', 'navigate'
'sec-fetch-user', '?1'
'sec-fetch-dest', 'document'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', '9ee7ff66-1a7f-41be-9c7c-40adf26298de'
'x-envoy-decorator-operation', 'appwebform-service.appwebform.svc.cluster.local:80/*'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxNi4zMyxmZTgwOjo2YzkyOmI2ZmY6ZmU3Zjo2MTY2CpYCCgZMQUTFMSiwIqiAIKHQoDYXBwEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5ChMKBWNoYXJ0EgoaCGdhdGV3YXlzChQKCGhll0YWdlEggaBlRpbGxlcgoZCgVpc3RpbxIQGg5pbmdyZXNzZ2F0ZXdheQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo4Njc5OGRiZmY4ChIKB3JlbGVhc2USBxoFaXNW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JRBIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taWcmVzc2dhdGV3YXktODY3OThkYmZmOC04Zm44ZAobCglOQU1FU1BBQ0UhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKOQoPU0VSVklDRV9BQ0NPVU5UEiYaJGlzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudAonCg1XJLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5'
'x-envoy-peer-metadata-id', 'router~172.30.216.33~istio-ingressgateway-86798dbff8-8fn8d.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'f3137deae108f6f2f3bb869c7f8c1468'
'x-b3-spanid', 'f3bb869c7f8c1468'
'x-b3-sampled', '0'
'content-length', '0'
2020-09-30T22:50:58.290123Z debug envoy http [C747][S6519292591854974172] request end stream
2020-09-30T22:50:58.290228Z debug envoy jwt Called Filter : setDecoderFilterCallbacks
2020-09-30T22:50:58.290351Z debug envoy jwt Called Filter : decodeHeaders
2020-09-30T22:50:58.290362Z debug envoy jwt Prefix requirement '/' matched.
2020-09-30T22:50:58.290374Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.290383Z debug envoy jwt origins-0: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.290389Z debug envoy jwt origins-0: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.290403Z debug envoy jwt Called AllowMissingVerifierImpl.verify : verify
2020-09-30T22:50:58.290408Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.290413Z debug envoy jwt _IS_ALLOW_MISSING_: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.290416Z debug envoy jwt _IS_ALLOW_MISSING_: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.290422Z debug envoy jwt Called Filter : check complete OK
2020-09-30T22:50:58.290474Z debug envoy filter AuthenticationFilter::decodeHeaders with config
policy {
peers {
mtls {
mode: PERMISSIVE
}
}
origins {
jwt {
issuer: "https://keycloak.example.com/auth/realms/istio"
}
}
origin_is_optional: true
principal_binding: USE_ORIGIN
}
skip_validate_trust_domain: true
2020-09-30T22:50:58.290500Z debug envoy filter [C747] validateX509 mode PERMISSIVE: ssl=true, has_user=true
2020-09-30T22:50:58.290505Z debug envoy filter [C747] trust domain validation skipped
2020-09-30T22:50:58.290509Z debug envoy filter Set peer from X509: cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
2020-09-30T22:50:58.290518Z debug envoy filter Validating request path / for jwt issuer: "https://keycloak.example.com/auth/realms/istio"
2020-09-30T22:50:58.290524Z debug envoy filter No dynamic_metadata found for filter envoy.filters.http.jwt_authn
2020-09-30T22:50:58.290528Z debug envoy filter No dynamic_metadata found for filter jwt-auth
2020-09-30T22:50:58.290531Z debug envoy filter Origin authenticator failed
2020-09-30T22:50:58.290585Z debug envoy filter Saved Dynamic Metadata:
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
2020-09-30T22:50:58.290668Z debug envoy rbac checking request: requestedServerName: outbound_.80_._.appwebform-service.appwebform.svc.cluster.local, sourceIP: 172.30.216.33:39150, directRemoteIP: 172.30.216.33:39150, remoteIP: 10.215.25.170:0,localAddress: 172.30.218.100:80, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'appwebform.example.com'
':path', '/'
':method', 'GET'
'cache-control', 'max-age=0'
'upgrade-insecure-requests', '1'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'
'sec-fetch-site', 'none'
'sec-fetch-mode', 'navigate'
'sec-fetch-user', '?1'
'sec-fetch-dest', 'document'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-request-id', '9ee7ff66-1a7f-41be-9c7c-40adf26298de'
'x-envoy-attempt-count', '1'
'x-b3-traceid', 'f3137deae108f6f2f3bb869c7f8c1468'
'x-b3-spanid', 'f3bb869c7f8c1468'
'x-b3-sampled', '0'
'content-length', '0'
'x-envoy-internal', 'true'
'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/appwebform/sa/default;Hash=45344697d73a89b728012dc151ff07d6a20791833cf4b74a470e66f3aaf4cb45;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account'
, dynamicMetadata: filter_metadata {
key: "istio_authn"
value {
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
}
}
2020-09-30T22:50:58.290696Z debug envoy rbac enforced denied
2020-09-30T22:50:58.290703Z debug envoy http [C747][S6519292591854974172] Sending local reply with details rbac_access_denied
2020-09-30T22:50:58.290759Z debug envoy http [C747][S6519292591854974172] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxOC4xMDAsZmU4MDo6Y2M5OmJmZmY6ZmVjYzoxYzY4CvgCCgZMQUJFTFMS7QIq6gIKIQoDYXBwEhoaGGt1YmUta3ljLWRhdGFzZXQtd2ViZm9ybQopCgVjaGFydBIgGh5rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tMS4wLjAKEgoIaGVyaXRhZ2USBhoESGVsbQoZCgxpc3Rpby5pby9yZXYSCRoHZGVmYXVsdAChFwb2QtdGVtcGxhdGUtaGFzaBIgo2NWM3NTVmNzhiCiUKB3JlbGVhc2USGhoYa3ViZS1reWMtZGF0YXNldC13ZWJmb3JtCiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KPQc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KKwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SBBoCdjEKDwoHdmVyc2lvbhIEGgJ2MQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKPgTkFNRRI2GjRrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tZGVwbG95bWVudC02NWM3NTVmNzhiLTJ2Y2toCicKCU5BTUVTUEFDRRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KeAoFT1dORVISbxpta3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS9kZXBsb3ltZW50cy9rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tZGVwbG95bWVudAocCg9TRVJWSUNFX0FDQ09VTlQSCRoHZGVmYXVsdAo2Cg1XTLTE9BRF9OQU1FEiUaI2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS1kZXBsb3ltZW50'
'x-envoy-peer-metadata-id', 'sidecar~172.30.218.100~appwebform-deployment-65c755f78b-2vckh.appwebform~appwebform.svc.cluster.local'
'date', 'Wed, 30 Sep 2020 22:50:57 GMT'
'server', 'istio-envoy'
2020-09-30T22:50:58.290810Z debug envoy jwt Called Filter : onDestroy
2020-09-30T22:50:58.290816Z debug envoy filter Called AuthenticationFilter : onDestroy
2020-09-30T22:50:58.290946Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=12
2020-09-30T22:50:58.290975Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=6
2020-09-30T22:50:58.290981Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=10
2020-09-30T22:50:58.290987Z debug envoy wasm wasm log: [extensions/stats/plugin.cc:609]::report() metricKey cache hit , stat=14
2020-09-30T22:50:58.417910Z debug envoy http [C747] new stream
2020-09-30T22:50:58.418106Z debug envoy http [C747][S3780791924704176796] request headers complete (end_stream=true):
':authority', 'appwebform.example.com'
':path', '/favicon.ico'
':method', 'GET'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8'
'sec-fetch-site', 'same-origin'
'sec-fetch-mode', 'no-cors'
'sec-fetch-dest', 'image'
'referer', 'https://appwebform.example.com/'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-envoy-internal', 'true'
'x-request-id', 'c7030a4d-9d44-4395-a77a-7ce6c38789d7'
'x-envoy-decorator-operation', 'appwebform-service.appwebform.svc.cluster.local:80/*'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxNi4zMyxmZTgwOjo2YzkyOmI2ZmY6ZmU3Zjo2MTY2CpYCCgZMQUJFMSiwIqiAIKHQoDYXBwEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5ChMKBWNoYXJ0EgoaCGdhdGV3YXlzChQKCGhlcml0YWdlEggaBlRpbGxlcgoZCgVpc3RpbxIQGgbmdyZXNzZ2F0ZXdheQohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo4Njc5OGRiZmY4ChIKB3JlbGVhc2USBxoFaXN0aW8KOQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIWGhRpc3Rpby1pbmdyZXNzZ2F0ZXdheQovCiNzZXJ2aWNlLmlzdGlvLmlvL2Nhbm9uaWNhbC1yZXZpc2lvbhIIGgZsYXRlc3QKGgoHTUVTSF9JIPGg1jbHVzdGVyLmxvY2FsCi8KBE5BTUUSJxolaXN0aW8taW5ncmVzc2dhdGV3YXktODY3OThkYmZmOC04Zm44ZAobCglOQU1FU1BBQ0USDhoMaXN0aW8tc3lzdGVtCl0KBU9XTkVSElQaUmt1YmVybmV0ZXM6Ly9hcGlzL2FwcHMvdjEvbmFtZXNwYWNlcy9pc3Rpby1zeXN0ZW0vZGVwbG95bWVudHMvaXN0aW8taW5ncmVzc2dhdGV3YXkKOQoPU0VSVklDRV9BQPVU5UEiYaJGlzdGlvLWluZ3Jlc3NnYXRld2F5LXNlcnZpY2UtYWNjb3VudAonCg1XT1JLTE9BRF9OQU1FEhYaFGlzdGlvLWluZ3Jlc3NnYXRld2F5'
'x-envoy-peer-metadata-id', 'router~172.30.216.33~istio-ingressgateway-86798dbff8-8fn8d.istio-system~istio-system.svc.cluster.local'
'x-envoy-attempt-count', '1'
'x-b3-traceid', '09ad482c28859c1617246f025f6a26b1'
'x-b3-spanid', '17246f025f6a26b1'
'x-b3-sampled', '0'
'content-length', '0'
2020-09-30T22:50:58.418129Z debug envoy http [C747][S3780791924704176796] request end stream
2020-09-30T22:50:58.418222Z debug envoy jwt Called Filter : setDecoderFilterCallbacks
2020-09-30T22:50:58.418322Z debug envoy jwt Called Filter : decodeHeaders
2020-09-30T22:50:58.418343Z debug envoy jwt Prefix requirement '/' matched.
2020-09-30T22:50:58.418356Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.418366Z debug envoy jwt origins-0: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.418372Z debug envoy jwt origins-0: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.418378Z debug envoy jwt Called AllowMissingVerifierImpl.verify : verify
2020-09-30T22:50:58.418382Z debug envoy jwt extract authorizationBearer
2020-09-30T22:50:58.418387Z debug envoy jwt _IS_ALLOW_MISSING_: JWT authentication starts (allow_failed=false), tokens size=0
2020-09-30T22:50:58.418390Z debug envoy jwt _IS_ALLOW_MISSING_: JWT token verification completed with: Jwt is missing
2020-09-30T22:50:58.418396Z debug envoy jwt Called Filter : check complete OK
2020-09-30T22:50:58.418444Z debug envoy filter AuthenticationFilter::decodeHeaders with config
policy {
peers {
mtls {
mode: PERMISSIVE
}
}
origins {
jwt {
issuer: "https://keycloak.example.com/auth/realms/istio"
}
}
origin_is_optional: true
principal_binding: USE_ORIGIN
}
skip_validate_trust_domain: true
2020-09-30T22:50:58.418468Z debug envoy filter [C747] validateX509 mode PERMISSIVE: ssl=true, has_user=true
2020-09-30T22:50:58.418496Z debug envoy filter [C747] trust domain validation skipped
2020-09-30T22:50:58.418508Z debug envoy filter Set peer from X509: cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
2020-09-30T22:50:58.418520Z debug envoy filter Validating request path /favicon.ico for jwt issuer: "https://keycloak.example.com/auth/realms/istio"
2020-09-30T22:50:58.418540Z debug envoy filter No dynamic_metadata found for filter envoy.filters.http.jwt_authn
2020-09-30T22:50:58.418545Z debug envoy filter No dynamic_metadata found for filter jwt-auth
2020-09-30T22:50:58.418549Z debug envoy filter Origin authenticator failed
2020-09-30T22:50:58.418605Z debug envoy filter Saved Dynamic Metadata:
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
2020-09-30T22:50:58.418686Z debug envoy rbac checking request: requestedServerName: outbound_.80_._.appwebform-service.appwebform.svc.cluster.local, sourceIP: 172.30.216.33:39150, directRemoteIP: 172.30.216.33:39150, remoteIP: 10.215.25.170:0,localAddress: 172.30.218.100:80, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , headers: ':authority', 'appwebform.example.com'
':path', '/favicon.ico'
':method', 'GET'
'user-agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36'
'accept', 'image/avif,image/webp,image/apng,image/*,*/*;q=0.8'
'sec-fetch-site', 'same-origin'
'sec-fetch-mode', 'no-cors'
'sec-fetch-dest', 'image'
'referer', 'https://appwebform.example.com/'
'accept-encoding', 'gzip, deflate, br'
'accept-language', 'en-US,en;q=0.9'
'x-forwarded-for', '10.215.25.170'
'x-forwarded-proto', 'https'
'x-request-id', 'c7030a4d-9d44-4395-a77a-7ce6c38789d7'
'x-envoy-attempt-count', '1'
'x-b3-traceid', '09ad482c28859c1617246f025f6a26b1'
'x-b3-spanid', '17246f025f6a26b1'
'x-b3-sampled', '0'
'content-length', '0'
'x-envoy-internal', 'true'
'x-forwarded-client-cert', 'By=spiffe://cluster.local/ns/appwebform/sa/default;Hash=45344697d73a8928012dc151ff07d6a20791833cf4ba470e66f3aaf4cb45;Subject="";URI=spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account'
, dynamicMetadata: filter_metadata {
key: "istio_authn"
value {
fields {
key: "source.namespace"
value {
string_value: "istio-system"
}
}
fields {
key: "source.principal"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
fields {
key: "source.user"
value {
string_value: "cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"
}
}
}
}
2020-09-30T22:50:58.418716Z debug envoy rbac enforced denied
2020-09-30T22:50:58.418723Z debug envoy http [C747][S3780791924704176796] Sending local reply with details rbac_access_denied
2020-09-30T22:50:58.418783Z debug envoy http [C747][S3780791924704176796] encoding headers via codec (end_stream=false):
':status', '403'
'content-length', '19'
'content-type', 'text/plain'
'x-envoy-peer-metadata', 'ChoKCkNMVVNURVJfSUQSDBoKS3ViZXJuZXRlcwo5CgxJTlNUQU5DRV9JUFMSKRonMTcyLjMwLjIxOC4xMDAsZmU4MDo6Y2M5OmJmZmY6ZmVjYzoxYzY4CvgCCgZMQUJFTFMS7QIq6gIKIQoDYXBwEhoaGGt1YmUta3ljLWRhdGFzZXQtd2ViZm9ybQopCgVjaGFydBIgGh5WJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0tMS4wLjAKEgoIaGVyaXRhZ2USBhoESGVsbQoZCgxpc3Rpby5pby9yZXYSCRoHZGVmYXVsdAohChFwb2QtdGVtcGxhdGUtaGFzaBIMGgo2NWM3NTVmNzhiCiUKB3JlbGVhc2USGhoYa3ViZS1reWMtZGF0YXNldC13ZWJmb3JtCiQKGXNlY3VyaXR5LmlzdGlvLmlvL3Rsc01vZGUSBxoFaXN0aW8KPQofc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtbmFtZRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KKwojc2VydmljZS5pc3Rpby5pby9jYW5vbmljYWwtcmV2aXNpb24SBBoCdjEKDwoHdmVyc2lvbhIEGgJ2MQoaCgdNRVNIX0lEEg8aDWNsdXN0ZXIubG9jYWwKPgoETkFNRRI2GjRrdWJlLWt5Yy1kYXRhV0LXdlYmZvcm0tZGVwbG95bWVud2NWM3NTVmNzhiLTJ2Y2toCicKCU5BTUVTUEFDRRIaGhhrdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcm0KeAoFT1dORVISbxpta3ViZXJuZXRlczovL2FwaXMvYXBwcy92MS9uYW1lc3BhY2VzL2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS9kZXBsb3ltZW50cy9rdWJlLWt5Yy1kYXRhc2V0LXdlYmZvcmZGVwbG95bWVudAocCg9TRVJWSUNFX0FDQ09VTlQSCRoHZGVmYXVsdAo2Cg1XT1JLTE9BRF9OQU1FEiUaI2t1YmUta3ljLWRhdGFzZXQtd2ViZm9ybS1kZXBsb3ltZW50'
'x-envoy-peer-metadata-id', 'sidecar~172.30.218.100~appwebform-deployment-65c755f78b-2vckh.appwebform~appwebform.svc.cluster.local'
'date', 'Wed, 30 Sep 2020 22:50:58 GMT'
'server', 'istio-envoy'
This is very interesting example and I appreciate if you help me with my questions
After you logged in with keycloak, can you see Authorization Bearer token in the browser or it's a cookie?
I tried to test this example with istio ingress and everything works fine unless I enter keycloak credentials (redirection to keycloak without JWT token works), then I receive 503 istio ingress error for endpoint /?session_state
I put keycloak external URLs for all entries(keycloak ingress is configured with tls and works fine) but it didn't help
https://github.com/dgn/oidc-filter/blob/master/example/envoyfilter.yaml#L27-L30
https://github.com/dgn/oidc-filter/blob/master/example/istio-auth.yaml#L11-L12
istio-proxy logs:
[Envoy (Epoch 0)] [2020-08-30 22:00:45.712][24][debug][router] [external/envoy/source/common/router/router.cc:474] [C66284][S8249649652266042808] cluster 'outbound|8000||httpbin.default.svc.cluster.local' match for URL '/'
[Envoy (Epoch 0)] [2020-08-30 22:00:45.712][24][debug][upstream] [external/envoy/source/common/upstream/cluster_manager_impl.cc:1230] no healthy host for HTTP connection pool
[Envoy (Epoch 0)] [2020-08-30 22:00:45.712][24][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1422] [C66284][S8249649652266042808] Sending local reply with details no_healthy_upstream
[Envoy (Epoch 0)] [2020-08-30 22:00:45.712][24][debug][filter] [src/envoy/http/mixer/filter.cc:135] Called Mixer::Filter : encodeHeaders 2
[Envoy (Epoch 0)] [2020-08-30 22:00:45.712][24][debug][http] [external/envoy/source/common/http/conn_manager_impl.cc:1620] [C66284][S8249649652266042808] encoding headers via codec (end_stream=false):
':status', '503'
'content-length', '19'
'content-type', 'text/plain'
'date', 'Sun, 30 Aug 2020 22:00:45 GMT'
'server', 'istio-envoy'
From infrastructure side , everything should be configured correctly as I tested the same authentication flow (istio+keycloak) with keycloak gatekeeper/proxy and it works well.
None of this is currently unit tested.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.