Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't use JWT and basic authorization in 1.28 #31468

Closed
samuelvl opened this issue Dec 20, 2023 · 6 comments · Fixed by #32248
Closed

Can't use JWT and basic authorization in 1.28 #31468

samuelvl opened this issue Dec 20, 2023 · 6 comments · Fixed by #32248
Labels
area/jwt_authn bug

Comments

@samuelvl
Copy link

As of Envoy 1.28 it is not possible to use the JWT authorization header together with another authorization type, such as basic authentication.

Envoy v1.28.0:

$ curl -v -X GET -H "Authorization: Bearer $(cat demo.jwt)" -H "Authorization: Basic password" http://localhost:8082/headers
HTTP/1.1 401 Unauthorized

Envoy v1.27.2:

$ curl -v -X GET -H "Authorization: Bearer $(cat demo.jwt)" -H "Authorization: Basic password" http://localhost:8082/headers
HTTP/1.1 200 OK

Configuration

static_resources:
  listeners:
    - name: listener_0
      address:
        socket_address:
          address: 0.0.0.0
          port_value: 8082
      filter_chains:
        - filters:
            - name: envoy.filters.network.http_connection_manager
              typed_config:
                "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
                stat_prefix: ingress_http
                access_log:
                  - name: envoy.access_loggers.stdout
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
                http_filters:
                  - name: envoy.filters.http.JwtAuthentication
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
                      providers:
                        local-jwt:
                          local_jwks:
                            inline_string: |
                              { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}
                      rules:
                        - match:
                            prefix: "/"
                          requires:
                            provider_name: "local-jwt"
                  - name: envoy.filters.http.router
                    typed_config:
                      "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
                route_config:
                  name: local_route
                  virtual_hosts:
                    - name: local_service
                      domains: ["*"]
                      routes:
                        - match:
                            prefix: "/"
                          route:
                            host_rewrite_literal: www.httpbin.org
                            cluster: service_httpbin
  clusters:
    - name: service_httpbin
      type: LOGICAL_DNS
      dns_lookup_family: V4_ONLY
      load_assignment:
        cluster_name: service_httpbin
        endpoints:
          - lb_endpoints:
              - endpoint:
                  address:
                    socket_address:
                      address: www.httpbin.org
                      port_value: 443
      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          sni: www.httpbin.org

Get demo.jwt from https://github.com/istio/istio/blob/master/security/tools/jwt/samples/demo.jwt
@samuelvl samuelvl added bug triage Issue requires triage labels Dec 20, 2023
@samuelvl
Copy link
Author

In the logs I can see the basic authorization header getting added to the JWT payload:

[2023-12-20 10:04:16.623][19][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:180] local-jwt: Parse Jwt eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg,basic password
[2023-12-20 10:04:16.623][19][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:374] local-jwt: JWT token verification completed with: Jwt signature is an invalid Base64url encoded

This is not happening with Envoy 1.27:

[2023-12-20 10:05:03.065][48][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:180] local-jwt: Parse Jwt eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg
[2023-12-20 10:05:03.066][48][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:191] local-jwt: Verifying JWT token of issuer testing@secure.istio.io
[2023-12-20 10:05:03.066][48][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:374] local-jwt: JWT token verification completed with: OK

The regression has been introduced in #28678

@wbpcode wbpcode added area/jwt_authn and removed triage Issue requires triage labels Dec 27, 2023
@wbpcode
Copy link
Member

wbpcode commented Dec 27, 2023

cc @yanavlasov

@wbpcode
Copy link
Member

wbpcode commented Dec 27, 2023

I think this could be fixed by avoid using getAllOfHeaderAsString when doing header extracting. That method will join multile values with ,.

@kevinmingtarja
Copy link

Hi, I'm interested in contributing a fix for this.

@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 4, 2024

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label Feb 4, 2024
@samuelvl
Copy link
Author

samuelvl commented Feb 5, 2024

Not stale

@github-actions github-actions bot removed the stale stalebot believes this issue/PR has not been touched recently label Feb 5, 2024
@jewertow jewertow mentioned this issue Feb 7, 2024
Merged
lizan pushed a commit that referenced this issue Feb 12, 2024
@jewertow
jwt: do not concatenate duplicated headers (#32248)
2f9901e 
Duplicated headers should not be concatenated with a comma, because comma is not allowed in a JWT token, so concatenation invalidates tokens.
This PR fixes #31468.

Risk Level:
Testing: unit tests
Docs Changes: none
Release Notes:
Platform Specific Features: none

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
@jewertow jewertow mentioned this issue Feb 13, 2024
Merged
@jewertow jewertow mentioned this issue Feb 13, 2024
Merged
jewertow added a commit to jewertow/envoy that referenced this issue Feb 13, 2024
@jewertow
jwt: do not concatenate duplicated headers (envoyproxy#32248)
c04357f 
Duplicated headers should not be concatenated with a comma, because comma is not allowed in a JWT token, so concatenation invalidates tokens.
This PR fixes envoyproxy#31468.

Risk Level:
Testing: unit tests
Docs Changes: none
Release Notes:
Platform Specific Features: none

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
jewertow added a commit to jewertow/envoy that referenced this issue Feb 13, 2024
@jewertow
jwt: do not concatenate duplicated headers (envoyproxy#32248)
486d5fa 
Duplicated headers should not be concatenated with a comma, because comma is not allowed in a JWT token, so concatenation invalidates tokens.
This PR fixes envoyproxy#31468.

Risk Level:
Testing: unit tests
Docs Changes: none
Release Notes:
Platform Specific Features: none

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
phlax pushed a commit that referenced this issue Feb 13, 2024
@jewertow @phlax
jwt: do not concatenate duplicated headers (#32248)
f074b51 
Duplicated headers should not be concatenated with a comma, because comma is not allowed in a JWT token, so concatenation invalidates tokens.
This PR fixes #31468.

Risk Level:
Testing: unit tests
Docs Changes: none
Release Notes:
Platform Specific Features: none

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
phlax pushed a commit that referenced this issue Feb 13, 2024
@jewertow @phlax
jwt: do not concatenate duplicated headers (#32248)
2c41cbb 
Duplicated headers should not be concatenated with a comma, because comma is not allowed in a JWT token, so concatenation invalidates tokens.
This PR fixes #31468.

Risk Level:
Testing: unit tests
Docs Changes: none
Release Notes:
Platform Specific Features: none

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
SeanKilleen pushed a commit to SeanKilleen/envoy that referenced this issue Apr 3, 2024
@jewertow @SeanKilleen
jwt: do not concatenate duplicated headers (envoyproxy#32248)
ee55599 
Duplicated headers should not be concatenated with a comma, because comma is not allowed in a JWT token, so concatenation invalidates tokens.
This PR fixes envoyproxy#31468.

Risk Level:
Testing: unit tests
Docs Changes: none
Release Notes:
Platform Specific Features: none

Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
Signed-off-by: Sean Killeen <SeanKilleen@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jwt_authn bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

jwt: do not concatenate duplicated headers jewertow/envoy
3 participants
@wbpcode @samuelvl @kevinmingtarja