gateway icon indicating copy to clipboard operation
gateway copied to clipboard
verified publisher icon envoyproxy

Validate ID Token when OIDC is set

Open arkodg opened this issue 1 year ago • 24 comments

Description:

Describe the desired behavior, what scenario it enables and how it would be used.

The OIDC spec calls out verifying the ID Token https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

This be be enabled by default or opt in

[optional Relevant Links:]

Any extra documentation required to understand the issue.

arkodg avatar Mar 05 '25 15:03 arkodg

cc @denniskniep @zhaohuabing

arkodg avatar Mar 05 '25 15:03 arkodg

Hey, I'm looking to start working on Envoy Gateway and wouldn't mind picking this one up

markwinter avatar Mar 06 '25 15:03 markwinter

/assign @markwinter

markwinter avatar Mar 06 '25 15:03 markwinter

thanks for picking this one up @markwinter, recommend starting off with an API PR

arkodg avatar Mar 06 '25 22:03 arkodg

@arkodg @markwinter I believe this needs to be supported by the Envoy OAuth2 filter first, then we can enable validation in EG.

zhaohuabing avatar Mar 07 '25 10:03 zhaohuabing

@zhaohuabing can't we add jwt authn if this field is set ?

arkodg avatar Mar 07 '25 14:03 arkodg

I found related discussions here https://github.com/envoyproxy/gateway/discussions/2425#discussioncomment-8722381 https://github.com/envoyproxy/envoy/issues/32805

I checked that the forward_bearer_token in the oauth2 filter will set the access token in the Authorization header https://github.com/envoyproxy/envoy/blob/22a07c31780d8b3b95460c0cc7333ab5e14b89ab/source/extensions/filters/http/oauth2/filter.cc#L882-L884

Perhaps this can be implemented by combining oauth2 filter and jwt filter as you mentioned @arkodg , and using jwtExtrator/from_cookies to get the id token from the cookie set by oauth2 filter.

I think I know the path forward here so will start on the API PR

markwinter avatar Mar 08 '25 01:03 markwinter

@arkodg Opened the API PR here if you could have a look please and see if aligns with what you were thinking https://github.com/envoyproxy/gateway/pull/5443

markwinter avatar Mar 08 '25 23:03 markwinter

@zhaohuabing can't we add jwt authn if this field is set ?

@arkodg @markwinter I think JWT authentication is used for general-purpose authentication with JWT tokens. However, ID Token Validation requires additional checks specific to OIDC ID tokens. Some general checks, such as iss and aud claim validation, can be done with the JWT filter, but others—such as alg, nonce, and acr—require validation rules that are unique to OIDC and can't be achieved with the JWT filter.

If our immediate goal is to validate only the iss and aud claims, this can be handled within the JWT section of a SecurityPolicy. Introducing partial validation within the OIDC API does not provide significant value, as it would duplicate existing functionality of the JWT authn.

zhaohuabing avatar Mar 10 '25 05:03 zhaohuabing

@zhaohuabing

Verifying the alg is part of JWT signed token verification, that's why JWKS can be supplied in the JWT Authentication filter.

https://github.com/envoyproxy/envoy/blob/eb398e9e4e0e33c8d68d5b9f86db88f236fd57c4/source/extensions/filters/http/jwt_authn/authenticator.cc#L324

https://github.com/google/jwt_verify_lib/blob/master/src/verify.cc#L210

The nonce and acr are oidc specific though and are dependent on whether they were requested in the initial authentication request

markwinter avatar Mar 10 '25 09:03 markwinter

@zhaohuabing

Verifying the alg is part of JWT signed token verification, that's why JWKS can be supplied in the JWT Authentication filter.

I mean this alg validation:

The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the id_token_signed_response_alg parameter during Registration

zhaohuabing avatar Mar 10 '25 11:03 zhaohuabing

/unassign @markwinter

markwinter avatar Mar 13 '25 19:03 markwinter

I am also +1 to add fully conformance with OIDC validations natively to Envoy OAuth2 filter. Another benefit is that then from envoy perspective OAuth2 filter can be isolated used, instead of relying for validation on the jwt filter, which means it is secure by default. Secure by default is generally a good idea from my point of view.

denniskniep avatar Mar 13 '25 20:03 denniskniep

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Apr 13 '25 00:04 github-actions[bot]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar May 24 '25 08:05 github-actions[bot]

any update about this issue?

Windfarer avatar Jun 05 '25 03:06 Windfarer

@Windfarer Do you have use case for this?

I believe we need to add OIDC ID Token validation in the upstream Envoy OAuth2 filter because of this.

zhaohuabing avatar Jun 12 '25 01:06 zhaohuabing

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar Jul 12 '25 04:07 github-actions[bot]

If ID token validation is missing, OIDC isn't implemented. https://github.com/envoyproxy/gateway/issues/881 isn't really completed.

Should the docs maybe be updated to explain the current state?

michaelbeaumont avatar Aug 01 '25 21:08 michaelbeaumont

It's quite difficult to do the aud/iss claim validation using jwt option of the SecurityPolicy since the name of the cookie with the idtoken gets a random suffix at the moment.

EDIT: Just needed to set oidc.cookieNames.idToken

michaelbeaumont avatar Aug 01 '25 21:08 michaelbeaumont

chatted with @zhaohuabing and this / https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation needs to be implemented in upstream

is there an existing issue for this @zhaohuabing ?

arkodg avatar Sep 03 '25 01:09 arkodg

Raised one: https://github.com/envoyproxy/envoy/issues/40944

zhaohuabing avatar Sep 03 '25 02:09 zhaohuabing