Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Jwt_authn filter] access token is giving Jwt verification fails error #34227

Open
dilippatidar123 opened this issue May 17, 2024 · 2 comments
Open

[Jwt_authn filter] access token is giving Jwt verification fails error #34227

dilippatidar123 opened this issue May 17, 2024 · 2 comments
Labels
area/jwt_authn

Comments

@dilippatidar123
Copy link

dilippatidar123 commented May 17, 2024
edited

Hi Team,

We are using envoy auth filter to authenticate with access token passed from AWS ALB.

http_filters:
           - name: envoy.filters.http.jwt_authn
             typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
              providers:
                azure_ad_oidc_token:
                  issuer: "https://sts.windows.net/{tenantid}/"
                  audiences:
                    - "00000003-0000-0000-c000-000000000000"
                  from_headers:
                    name: 'x-amzn-oidc-accesstoken'
                  forward: true
                  remote_jwks:
                    http_uri:
                      uri: "https://login.microsoftonline.com/tenentid/discovery/v2.0/keys"
                      cluster: jwks_cluster
                      timeout: 60s
                    cache_duration:
                      seconds: 3600
              rules:
                - match:
                    prefix: /health
                - match:
                    prefix: /customer
                  requires:
                    provider_name: azure_ad_oidc_token

Its giving Jwt verification fails error when we pass access token.

Access token format :-

{
  "aud": "00000003-0000-0000-c000-000000000000",
  "iss": "https://sts.windows.net/{tenantid}/",
  "iat": 1715943662,
  "nbf": 1715943662,
  "exp": 1715948505,
  "acct": 0,
  "acr": "1",
  "aio": "ATQAy/8WAAAA4t0tBZMxRHG9en9gkaENX6hZ3MQeCa69aZ1n04MxqKarb27psBkvfdbhdcBHn08O",
  "amr": [
    "pwd"
  ],
  "app_displayname": "IdassAuthAppService",
  "appid": ".....",
  "appidacr": "1",
  "idtyp": "user",
  "ipaddr": "203.16.165.129",
  "name": "Dilip",
  "oid": "6aaa8bb0-45e4-4a90-a178-174390a74574",
  "platf": "3",
  "puid": "100320037FA54AB8",
  "rh": "0.AVUA7e-DyRosQEyl4uTux0b6cgMAAAAAAAAAwAAAAAAAAAC_AIE.",
  "scp": "openid profile email",
  "sub": "S372n1GkVn88btkVEmVh0oFz7ZzgRBaXQ7JG6uQmquA",
  "tenant_region_scope": "AS",
  "tid": ".....",
  "unique_name": "test@test.onmicrosoft.com",
  "upn": "test@test.onmicrosoft.com",
  "uti": "ilaJtegQT0-x4a4QZdJVAA",
  "ver": "1.0",
  "wids": [
    "62e90394-69f5-4237-9190-012177145e10",
    "b79fbf4d-3ef9-4689-8143-76b194e85509"
  ],
  "xms_st": {
    "sub": "a46cuSPnc1WRwE7ncoztpZNVZIeP4HrBfoDknO5yfXw"
  },
  "xms_tcdt": 1472379814
}

When we debug the envoy code then its failing under envoy/source/extensions/filters/http/jwt_authn/authenticator.cc


const bool sub_allowed = jwks_data_->isSubjectAllowed(jwt_->sub_);

  if (!sub_allowed) {
    doneWithStatus(Status::JwtVerificationFail);
    return;
  }

  absl::optional<absl::Time> exp;
  if (jwt_->exp_) {
    exp = absl::FromUnixSeconds(jwt_->exp_);
  }
  const bool exp_allowed = jwks_data_->isLifetimeAllowed(
      absl::FromChrono(timeSource().systemTime()), exp ? &exp.value() : nullptr);

  if (!exp_allowed) {
    doneWithStatus(Status::JwtVerificationFail);
    return;
  }

But in access token sub and exp both parameter is available.

Error Logs :-

2024-05-16 23:57:22 envoy-1  | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/extractor.cc:255] extract x-amzn-oidc-accesstoken
2024-05-16 23:57:22 envoy-1  | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:163] azure_ad_accee_token: JWT authentication starts (allow_failed=false), tokens size=1
2024-05-16 23:57:22 envoy-1  | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:174] azure_ad_accee_token: startVerify: tokens size 1
2024-05-16 23:57:22 envoy-1  | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:192] azure_ad_accee_token: Parse Jwt  <Token>
2024-05-16 23:57:22 envoy-1  | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:203] azure_ad_accee_token: Verifying JWT token of issuer https://sts.windows.net/{tenantid}
2024-05-16 23:57:22 envoy-1  | [2024-05-16 18:27:22.076][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:97] Called Filter : decodeHeaders Stop
2024-05-16 23:57:23 envoy-1  | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:448] azure_ad_accee_token: JWT token verification completed with: Jwt verification fails
2024-05-16 23:57:23 envoy-1  | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:452] status is: Jwt verification fails
2024-05-16 23:57:23 envoy-1  | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: Jwt verification fails
2024-05-16 23:57:23 envoy-1  | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:46] Called Filter : onDestroy

Please suggest if we are doing anything wrong with envoy configuration or idass configuration.

ALB configuration is generating access token via below url after log in.

https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?client_id={clientid}&redirect_uri={redirecturl}&response_type=code&scope=openid&state={encodecode}

Note :-
Same configuration is working with idtoken that we generate from curl commands.

Please let me know if you need any other details to investigate.

Thanks,
Dilip
@dilippatidar123 dilippatidar123 added the triage Issue requires triage label May 17, 2024
@dilippatidar123 dilippatidar123 changed the title [Jwt_authn filter] Using access token giving Jwt verification fails error [Jwt_authn filter] access token is giving Jwt verification fails error May 17, 2024
@ravenblackx ravenblackx added area/jwt_authn and removed triage Issue requires triage labels May 17, 2024
@ravenblackx
Copy link
Contributor

@TAOXUY

@ViswanathB
Copy link

ViswanathB commented May 22, 2024
edited

I am running into JWTVerificationFail but likely because I don't have sub in my access token. This access token is requested by Client using client_credentials grant (https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/).

I am trying to see if sub can be part of client configuration but want to confirm is sub required for access token to be valid? why?

EDIT 1: Found the documentation if subjects are not provider they won't be verified:
subjects under https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/string.proto#envoy-v3-api-msg-type-matcher-v3-stringmatcher

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jwt_authn
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dilippatidar123 @ravenblackx @ViswanathB