We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi Team,
We are using envoy auth filter to authenticate with access token passed from AWS ALB.
http_filters: - name: envoy.filters.http.jwt_authn typed_config: "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication providers: azure_ad_oidc_token: issuer: "https://sts.windows.net/{tenantid}/" audiences: - "00000003-0000-0000-c000-000000000000" from_headers: name: 'x-amzn-oidc-accesstoken' forward: true remote_jwks: http_uri: uri: "https://login.microsoftonline.com/tenentid/discovery/v2.0/keys" cluster: jwks_cluster timeout: 60s cache_duration: seconds: 3600 rules: - match: prefix: /health - match: prefix: /customer requires: provider_name: azure_ad_oidc_token
Its giving Jwt verification fails error when we pass access token.
Access token format :-
{ "aud": "00000003-0000-0000-c000-000000000000", "iss": "https://sts.windows.net/{tenantid}/", "iat": 1715943662, "nbf": 1715943662, "exp": 1715948505, "acct": 0, "acr": "1", "aio": "ATQAy/8WAAAA4t0tBZMxRHG9en9gkaENX6hZ3MQeCa69aZ1n04MxqKarb27psBkvfdbhdcBHn08O", "amr": [ "pwd" ], "app_displayname": "IdassAuthAppService", "appid": ".....", "appidacr": "1", "idtyp": "user", "ipaddr": "203.16.165.129", "name": "Dilip", "oid": "6aaa8bb0-45e4-4a90-a178-174390a74574", "platf": "3", "puid": "100320037FA54AB8", "rh": "0.AVUA7e-DyRosQEyl4uTux0b6cgMAAAAAAAAAwAAAAAAAAAC_AIE.", "scp": "openid profile email", "sub": "S372n1GkVn88btkVEmVh0oFz7ZzgRBaXQ7JG6uQmquA", "tenant_region_scope": "AS", "tid": ".....", "unique_name": "test@test.onmicrosoft.com", "upn": "test@test.onmicrosoft.com", "uti": "ilaJtegQT0-x4a4QZdJVAA", "ver": "1.0", "wids": [ "62e90394-69f5-4237-9190-012177145e10", "b79fbf4d-3ef9-4689-8143-76b194e85509" ], "xms_st": { "sub": "a46cuSPnc1WRwE7ncoztpZNVZIeP4HrBfoDknO5yfXw" }, "xms_tcdt": 1472379814 }
When we debug the envoy code then its failing under envoy/source/extensions/filters/http/jwt_authn/authenticator.cc
const bool sub_allowed = jwks_data_->isSubjectAllowed(jwt_->sub_); if (!sub_allowed) { doneWithStatus(Status::JwtVerificationFail); return; } absl::optional<absl::Time> exp; if (jwt_->exp_) { exp = absl::FromUnixSeconds(jwt_->exp_); } const bool exp_allowed = jwks_data_->isLifetimeAllowed( absl::FromChrono(timeSource().systemTime()), exp ? &exp.value() : nullptr); if (!exp_allowed) { doneWithStatus(Status::JwtVerificationFail); return; }
But in access token sub and exp both parameter is available.
Error Logs :-
2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/extractor.cc:255] extract x-amzn-oidc-accesstoken 2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:163] azure_ad_accee_token: JWT authentication starts (allow_failed=false), tokens size=1 2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:174] azure_ad_accee_token: startVerify: tokens size 1 2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:192] azure_ad_accee_token: Parse Jwt <Token> 2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:203] azure_ad_accee_token: Verifying JWT token of issuer https://sts.windows.net/{tenantid} 2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.076][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:97] Called Filter : decodeHeaders Stop 2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:448] azure_ad_accee_token: JWT token verification completed with: Jwt verification fails 2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:452] status is: Jwt verification fails 2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: Jwt verification fails 2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:46] Called Filter : onDestroy
Please suggest if we are doing anything wrong with envoy configuration or idass configuration.
ALB configuration is generating access token via below url after log in.
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?client_id={clientid}&redirect_uri={redirecturl}&response_type=code&scope=openid&state={encodecode}
Note :- Same configuration is working with idtoken that we generate from curl commands.
Please let me know if you need any other details to investigate.
Thanks, Dilip
The text was updated successfully, but these errors were encountered:
@TAOXUY
Sorry, something went wrong.
I am running into JWTVerificationFail but likely because I don't have sub in my access token. This access token is requested by Client using client_credentials grant (https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/).
JWTVerificationFail
sub
client_credentials
I am trying to see if sub can be part of client configuration but want to confirm is sub required for access token to be valid? why?
EDIT 1: Found the documentation if subjects are not provider they won't be verified: subjects under https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/string.proto#envoy-v3-api-msg-type-matcher-v3-stringmatcher
subjects
No branches or pull requests
Hi Team,
We are using envoy auth filter to authenticate with access token passed from AWS ALB.
Its giving Jwt verification fails error when we pass access token.
Access token format :-
When we debug the envoy code then its failing under envoy/source/extensions/filters/http/jwt_authn/authenticator.cc
But in access token sub and exp both parameter is available.
Error Logs :-
Please suggest if we are doing anything wrong with envoy configuration or idass configuration.
ALB configuration is generating access token via below url after log in.
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?client_id={clientid}&redirect_uri={redirecturl}&response_type=code&scope=openid&state={encodecode}
Note :-
Same configuration is working with idtoken that we generate from curl commands.
Please let me know if you need any other details to investigate.
Thanks,
Dilip
The text was updated successfully, but these errors were encountered: