rshriram Merge master into release-1.1 (#2031)
* Improve performance by removing MD5 for check cache keys (#2002)

* Improve performance by removing MD5 for check cache keys

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

* not to allocate memory from stack

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

* Make debug string readable

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

* alts: remove ALTS (#2003)

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

* Use std::hash for check cache. (#2009)

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

* Remove tests to compare signature values (#2015)

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

* update sample envoy config to latest version (#2016)

* Add a new TCP cluster rewrite filter (#2017)

* Add a new TCP cluster rewrite filter

This commit adds a new TCP cluster rewrite filter which allows users to
rewrite TCP cluster names obtained via TLS SNI by matching via regex
configuration.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Make TCP cluster rewrite stackable on SNI filter

This commit updates the TCP Cluster Rewrite filter to be stackable on
the SNI Cluster filter.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update TCP Cluster Rewrite filter name (#2019)

This commit updates the TCP Cluster Rewrite filter name to
envoy.filters.network.tcp_cluster_rewrite.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Enable TCP Cluster Rewrite filter registration (#2021)

This commit enables the static registration of the TCP Cluster Rewrite
filter by updating the build configuration.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* Update Envoy SHA to 4ef8562b (#2023)

Envoy /server_info API was inconsistent intermittently causing errors on
a Proxy update on Istio. This update will bring in the API fix to Istio.

Signed-off-by: Venil Noronha <veniln@vmware.com>

* add proxy postsubmit periodic (#2025)
Latest commit 4d8eb98 Nov 8, 2018
Permalink
..
Failed to load latest commit information.
integration_test Update Envoy SHA to a637506d (#1982) Sep 28, 2018
sample update sample envoy config to latest version (#2016) Nov 1, 2018
tools Support es256 (#1185) Mar 7, 2018
BUILD Using request dynamic metadata to pass data from JWT filter to authn … Aug 7, 2018
ImplementationNotes.md Move envoy code to src/envoy/http folder (#1140) Feb 21, 2018
README.md update sample envoy config to latest version (#2016) Nov 1, 2018
auth_store.h merge 1.0 branch to master (#1885) Aug 1, 2018
http_filter.cc Update Envoy SHA to c41fa7118e69a0872074d7a685a62331c5d5c17e (#2029) Nov 8, 2018
http_filter.h Using request dynamic metadata to pass data from JWT filter to authn … Aug 7, 2018
http_filter_factory.cc Using request dynamic metadata to pass data from JWT filter to authn … Aug 7, 2018
jwt.cc Pubkey kid alg optional (#1203) Mar 12, 2018
jwt.h Pubkey kid alg optional (#1203) Mar 12, 2018
jwt_authenticator.cc Using request dynamic metadata to pass data from JWT filter to authn … Aug 7, 2018
jwt_authenticator.h Using request dynamic metadata to pass data from JWT filter to authn … Aug 7, 2018
jwt_authenticator_test.cc Update clang to 6.0 and use it for release binaries. (#1914) Aug 14, 2018
jwt_test.cc Pubkey kid alg optional (#1203) Mar 12, 2018
pubkey_cache.h Use jwt_auth filter config from istio/api (#1804) Jun 7, 2018
token_extractor.cc Use jwt_auth filter config from istio/api (#1804) Jun 7, 2018
token_extractor.h Use jwt_auth filter config from istio/api (#1804) Jun 7, 2018
token_extractor_test.cc Update clang to 6.0 and use it for release binaries. (#1914) Aug 14, 2018

README.md

JWT Authentication Proxy

Overview

(TODO:figure)

Processing flow

Soon after the server runs:

  1. This proxy run as a sidecar of the server.
  2. Configure which issuers to use, via Envoy config.

Before an user sending request:

  1. The user should request an issuer for an access token (JWT)
    • Note: JWT claims should contain aud, sub, iss and exp.

For every request from user client:

  1. Client send an HTTP request together with JWT, which is intercepted by this proxy
  2. The proxy verifies JWT:
    • The signature should be valid
    • JWT should not be expired
    • Issuer (and audience) should be valid
  3. If JWT is valid, the user is authenticated and the request will be passed to the server, together with JWT payload (user identity).
    If JWT is not valid, the request will be discarded and the proxy will send a response with an error message.

How to build it

  bazel build //src/envoy:envoy

How to run it

  • Start Envoy proxy. Run
bazel-bin/src/envoy/envoy -c src/envoy/http/jwt_auth/sample/envoy.conf
  • Start backend Echo server.
go run test/backend/echo/echo.go
  • Then issue HTTP request to proxy.

With valid JWT:

token=`cat src/envoy/http/jwt_auth/sample/correct_jwt`
curl --header "Authorization: Bearer $token" http://localhost:9090/echo -d "hello world"

Note: the token is generated by:

With invalid JWT:

token=`cat src/envoy/http/jwt_auth/sample/invalid_jwt`
curl --header "Authorization: Bearer $token" http://localhost:9090/echo -d "hello world"

How it works

How to receive JWT

If a HTTP request contains a JWT in the HTTP Authorization header:

  • Authorization: Bearer <JWT> Envoy proxy will try to verify it with configured issuers.

Behavior after verification

  • If verification fails, the request will not be passed to the backend and the proxy will send a response with the status code 401 (Unauthorized) and the failure reason as message body.

  • If verification succeeds, the request will be passed to the backend, together with an additional HTTP header:

    sec-istio-auth-userinfo: <UserInfo>
    

    Here, <UserInfo> is base64 encoded payload JSON.

  • The authorization header with JWT token is removed.

How to configure it

Add this filter to the filter chain

In Envoy config,

"filters": [
  {
    "type": "decoder",
    "name": "jwt-auth",
    "config": <config>
  },
  ...
]

Config format

Format of <config> is defined in AuthFilterConfig message in config.proto file. It can be specified in JSON format as following examples

{
   "jwts": [
      {
         "issuer": "issuer1_name",
         "audiences": [
            "audience1",
            "audience2"
          ],
         "jwks_uri": "http://server1/path1",
         "jwks_uri_envoy_cluster": "issuer1_cluster"
      },
      {
         "issuer": "issuer2_name",
         "audiences": [],
         "jwks_uri": "server2",
         "jwks_uri_envoy_cluster": "issuer2_cluster",
         "public_key_cache_duration": {
             "seconds": 600,
             "nanos": 1000
          }
      }
  ]
}

Clusters

All public key servers should be listed in the "clusters" section of the Envoy config. The format of the "url" inside "hosts" section is "tcp://host-name:port".

Example:

"clusters": [
  {
    "name": "example_issuer",
    "connect_timeout_ms": 5000,
    "type": "strict_dns",
    "circuit_breakers": {
     "default": {
      "max_pending_requests": 10000,
      "max_requests": 10000
     }
    },
    "lb_type": "round_robin",
    "hosts": [
      {
        "url": "tcp://account.example.com:8080"
      }
    ]
  },
  ...
]