You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Authorization for the payload of JWT granted in the Authorization header of the requests to proxy (RFC7523)
I tried to compare the value of the JWT payload using the metadata principal of the RBAC filter to satisfy the above. (ref. #7913)
However, only when connecting to envoy with the CONNECT method, the dynamicMetadata does not contain the jwt payload and the authorization by the RBAC filter fails.
Repro steps:
When I request Authorization header and CONNECT method (= target server listens HTTPS) to envoy, which runs as HTTP forwarding proxy, and envoy rejected the request.
Note that when I request Authorization header and GET method (= target server listens HTTP) to envoy, which runs as HTTP forwarding proxy, and envoy forwarded the request intendedly.
$ curl -x http://${PROXY_HOSTNAME}:10000/ --proxy-header "Authorization: Bearer $JWT" http://google.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>
Admin and Stats Output:
I omitted it because It isn't necessary I thought. Please let me know if you need it.
Self resolved.
I specified connect_matcher: {} as the matcher in the JWT HTTP filter, and then JWT value was contained in dynamicMetadata when I requested with the CONNECT method. (ref. #13064)
Title: rbac HTTP filter with metadata principal provided by jwt_authn HTTP filter is not working on HTTP CONNECT request
Description:
I would like to use envoy to achieve the following
Authorization
header of the requests to proxy (RFC7523)I tried to compare the value of the JWT payload using the metadata principal of the RBAC filter to satisfy the above. (ref. #7913)
However, only when connecting to envoy with the CONNECT method, the
dynamicMetadata
does not contain the jwt payload and the authorization by the RBAC filter fails.Repro steps:
When I request Authorization header and CONNECT method (= target server listens HTTPS) to envoy, which runs as HTTP forwarding proxy, and envoy rejected the request.
Note that when I request Authorization header and GET method (= target server listens HTTP) to envoy, which runs as HTTP forwarding proxy, and envoy forwarded the request intendedly.
Admin and Stats Output:
I omitted it because It isn't necessary I thought. Please let me know if you need it.
Config:
The following values are masked
<AUDIENCE_NAME>
<SUBJECT_NAME>
Logs:
The following values are masked
<JWT>
<AUDIENCE_NAME>
<ISSUER_URL>
<JWT_ID>
<SUBJECT_NAME>
In case target server listens HTTPS, requests from cilent was rejected.
In case target server listens HTTP, requests from cilent succeeded.
The text was updated successfully, but these errors were encountered: