Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Claim to Header extraction fails when claim is a URL-like string #33603

Open
CelsoSantos opened this issue Apr 17, 2024 · 3 comments
Open

JWT Claim to Header extraction fails when claim is a URL-like string #33603

CelsoSantos opened this issue Apr 17, 2024 · 3 comments
Labels
area/jwt_authn question Questions that are neither investigations, bugs, nor enhancements

Comments

@CelsoSantos
Copy link

CelsoSantos commented Apr 17, 2024
edited

When attempting to perform a JWT Claim to Header extraction, envoy will fail to do the extraction if the claim is a URL-like string, for instance http://example.org/some_claim, and the fail is possibly silently, as I've been unable to locate logs with the failure.

Given a claim like

{
  "iss": "http://example.org/",
  "sub": "johndoe@example.org",
  "iat": 1712240289,
  "exp": 1743776289,
  "aud": "http://example.org/",
  "flavour": "chocolate",
  "parent_token": "abc",
  "some_url_value": "http://example.org/about",
  "http://example.org/parent_token": "xyz"
}

on the resulting request headers, the claim "http://example.org/parent_token": "xyz" will not have been extracted.

Here's the claim_to_headers block:

claim_to_headers:
- header_name: cookie
  claim_name: flavour
- header_name: x-subject
  claim_name: sub
- header_name: x-simple-claim
  claim_name: parent_token
- header_name: x-url-value-claim
  claim_name: some_url_value
- header_name: x-url-key-claim
  claim_name: http://example.org/parent_token
- header_name: x-quoted-claim
  claim_name: 'http://example.org/parent_token'
- header_name: x-regex-1-claim
  claim_name: http:\/\/example.org\/parent_token
- header_name: x-regex-2-claim
  claim_name: http:\\/\\/example\\.org\\/parent_token

In order to show this, I've created a docker compose based reproduction at CelsoSantos/envoy-jwt-claim-extraction, which contains a README.md detailing the steps to reproduce and showcase the issue.

Now, there are some open questions here, namely:

  1. Is this not expected functionality?
  2. If it IS expected functionality, where and why is it breaking? It's not clear from the jwt logs nor others inspected. Which log should expose the error message?
  3. If it needs to be treated as a regex, what is the correct way to escape the string? go-format? javascript? Could an example be provided?
@CelsoSantos CelsoSantos added the triage Issue requires triage label Apr 17, 2024
@adisuissa adisuissa added question Questions that are neither investigations, bugs, nor enhancements area/jwt_authn and removed triage Issue requires triage labels Apr 19, 2024
@adisuissa
Copy link
Contributor

cc @TAOXUY @lizan as codeowners

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale stalebot believes this issue/PR has not been touched recently label May 19, 2024
@derekargueta
Copy link
Member

i'll volunteer to take a look into this

@github-actions github-actions bot removed the stale stalebot believes this issue/PR has not been touched recently label May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jwt_authn question Questions that are neither investigations, bugs, nor enhancements
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@CelsoSantos @adisuissa @derekargueta