envoy
envoy copied to clipboard
envoyproxy
[Jwt_authn filter] access token is giving Jwt verification fails error
Hi Team,
We are using envoy auth filter to authenticate with access token passed from AWS ALB.
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
azure_ad_oidc_token:
issuer: "https://sts.windows.net/{tenantid}/"
audiences:
- "00000003-0000-0000-c000-000000000000"
from_headers:
name: 'x-amzn-oidc-accesstoken'
forward: true
remote_jwks:
http_uri:
uri: "https://login.microsoftonline.com/tenentid/discovery/v2.0/keys"
cluster: jwks_cluster
timeout: 60s
cache_duration:
seconds: 3600
rules:
- match:
prefix: /health
- match:
prefix: /customer
requires:
provider_name: azure_ad_oidc_token
Its giving Jwt verification fails error when we pass access token.
Access token format :-
{
"aud": "00000003-0000-0000-c000-000000000000",
"iss": "https://sts.windows.net/{tenantid}/",
"iat": 1715943662,
"nbf": 1715943662,
"exp": 1715948505,
"acct": 0,
"acr": "1",
"aio": "ATQAy/8WAAAA4t0tBZMxRHG9en9gkaENX6hZ3MQeCa69aZ1n04MxqKarb27psBkvfdbhdcBHn08O",
"amr": [
"pwd"
],
"app_displayname": "IdassAuthAppService",
"appid": ".....",
"appidacr": "1",
"idtyp": "user",
"ipaddr": "203.16.165.129",
"name": "Dilip",
"oid": "6aaa8bb0-45e4-4a90-a178-174390a74574",
"platf": "3",
"puid": "100320037FA54AB8",
"rh": "0.AVUA7e-DyRosQEyl4uTux0b6cgMAAAAAAAAAwAAAAAAAAAC_AIE.",
"scp": "openid profile email",
"sub": "S372n1GkVn88btkVEmVh0oFz7ZzgRBaXQ7JG6uQmquA",
"tenant_region_scope": "AS",
"tid": ".....",
"unique_name": "[email protected]",
"upn": "[email protected]",
"uti": "ilaJtegQT0-x4a4QZdJVAA",
"ver": "1.0",
"wids": [
"62e90394-69f5-4237-9190-012177145e10",
"b79fbf4d-3ef9-4689-8143-76b194e85509"
],
"xms_st": {
"sub": "a46cuSPnc1WRwE7ncoztpZNVZIeP4HrBfoDknO5yfXw"
},
"xms_tcdt": 1472379814
}
When we debug the envoy code then its failing under envoy/source/extensions/filters/http/jwt_authn/authenticator.cc
const bool sub_allowed = jwks_data_->isSubjectAllowed(jwt_->sub_);
if (!sub_allowed) {
doneWithStatus(Status::JwtVerificationFail);
return;
}
absl::optional<absl::Time> exp;
if (jwt_->exp_) {
exp = absl::FromUnixSeconds(jwt_->exp_);
}
const bool exp_allowed = jwks_data_->isLifetimeAllowed(
absl::FromChrono(timeSource().systemTime()), exp ? &exp.value() : nullptr);
if (!exp_allowed) {
doneWithStatus(Status::JwtVerificationFail);
return;
}
But in access token sub and exp both parameter is available.
Error Logs :-
2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/extractor.cc:255] extract x-amzn-oidc-accesstoken
2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:163] azure_ad_accee_token: JWT authentication starts (allow_failed=false), tokens size=1
2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:174] azure_ad_accee_token: startVerify: tokens size 1
2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:192] azure_ad_accee_token: Parse Jwt <Token>
2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.075][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:203] azure_ad_accee_token: Verifying JWT token of issuer https://sts.windows.net/{tenantid}
2024-05-16 23:57:22 envoy-1 | [2024-05-16 18:27:22.076][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:97] Called Filter : decodeHeaders Stop
2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:448] azure_ad_accee_token: JWT token verification completed with: Jwt verification fails
2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:452] status is: Jwt verification fails
2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: Jwt verification fails
2024-05-16 23:57:23 envoy-1 | [2024-05-16 18:27:23.230][26][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:46] Called Filter : onDestroy
Please suggest if we are doing anything wrong with envoy configuration or idass configuration.
ALB configuration is generating access token via below url after log in.
https://login.microsoftonline.com/{tenantid}/oauth2/v2.0/authorize?client_id={clientid}&redirect_uri={redirecturl}&response_type=code&scope=openid&state={encodecode}
Note :- Same configuration is working with idtoken that we generate from curl commands.
Please let me know if you need any other details to investigate.
Thanks, Dilip
I am running into JWTVerificationFail but likely because I don't have sub in my access token. This access token is requested by Client using client_credentials grant (https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/).
I am trying to see if sub can be part of client configuration but want to confirm is sub required for access token to be valid? why?
EDIT 1: Found the documentation if subjects are not provider they won't be verified:
subjects under https://www.envoyproxy.io/docs/envoy/latest/api-v3/type/matcher/v3/string.proto#envoy-v3-api-msg-type-matcher-v3-stringmatcher
