gateway icon indicating copy to clipboard operation
gateway copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

oidc cookies not created

Open zetaab opened this issue 1 year ago • 6 comments

Description:

I have securitypolicy that authenticates user by using oidc and then verifying it with jwt. However, the IdToken is not created anymore by automatically. When forwardAccessToken: true is defined the IdToken is created, but otherwise the cookie will be empty.

The behaviour changed https://github.com/envoyproxy/gateway/pull/3567 but for me it looks like this preserve_authorization_header now removes cookies as well

Repro steps:

create securitypolicy to endpoint by using: (cookie will be created only if forwardAccessToken: true is defined)

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: xx-dev-oidc
spec:
  jwt:
    providers:
    - claimToHeaders:
      - claim: cognito:groups
        header: x-user-groups
      - claim: email
        header: x-user-email
      extractFrom:
        cookies:
        - IdToken
      name: cognito
      remoteJWKS:
        uri: https://cognito-idp.eu-central-1.amazonaws.com/xxx/.well-known/jwks.json
  oidc:
    clientID: yyy
    clientSecret:
      group: ""
      kind: Secret
      name: backstage-oidc
    cookieNames:
      idToken: IdToken
    provider:
      issuer: https://cognito-idp.eu-central-1.amazonaws.com/xxx
    scopes:
    - openid
    - email
    - profile
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: backstage-dev

Environment:

envoy-gateway is compiled from main branch by using d49337b9c5d418a88bae84b2592b7c4b907f7134 commit

zetaab avatar Jun 20 '24 04:06 zetaab