Comments (8)
arkodg
commented on June 12, 2024
1
cc @zhaohuabing
from gateway.
zhaohuabing
commented on June 12, 2024
1
@arkodg EnvoyPatchPolicy worked. It's just the Authorization header has been sanitized by the OAuth2 filter when the oauth2 filter is in the request path, and Envoy believes this is the right behavior :-)
// Sanitize the Authorization header, since we have no way to validate its content. Also,
// if token forwarding is enabled, this header will be set based on what is on the HMAC cookie
// before forwarding the request upstream.
headers.removeInline(authorization_handle.handle());
from gateway.
zhaohuabing
commented on June 12, 2024
EG OIDC enables forward_bearer_token by default and overrides the authorization header if it exists. We can add an option to the API to opt it out. However, it's weird that the header is gone after setting forward_bearer_token to false with an EnvoyPatchPolicy.
from gateway.
arkodg
commented on June 12, 2024
@zhaohuabing any idea why the EnvoyPatchPolicy did not work
from gateway.
arkodg
commented on June 12, 2024
Ah nice find ! So filter ordering may be useful here ?
from gateway.
zhaohuabing
commented on June 12, 2024
Filter ordering won't help here since the OAuth2 filter will remove this header no matter where it's in the chain.
@denniskniep I'm curious why you use both a JWT added by your "frontend application" and a SecurityPolicy with OIDC at the same time?
from gateway.
denniskniep
commented on June 12, 2024
Thanks a lot for looking into this.
There are at least two reasons why I want to do this:
- Upstream Application is not exposed/touched by external requests without being an legitimate authenticated user. That is especially interesting if there are unauthenticated RCE or other vulnerabilities for that application.
- Security of upstream applications AuthenticationLayer is not fulfilling required level. i.e. no MFA possible
In my case its really a jwt which is added to the request by the frontend application.
Therefore I want to mention a scenario, which maybe makes more sense. Upstream application is using basic auth and one want to increase security, by adding authentication with an IDP. UX is not great due to double authentication (First OIDC, then Basic Auth). But technically the basic auth can not be executed, because the header is removed.
from gateway.
zhaohuabing
commented on June 12, 2024
@denniskniep thanks for detailing your use case! I agree that MFA (two or more layers of authentication) is a valid scenario here. Let's open an issue in Envoy upstream to see if a knob can be added to opt this out.
from gateway.
Related Issues (20)
- Use sets in the kube provider to keep track of existing resources
- Trigger a reconcile when the Otel backendRefs / `Service` changes
- API Reference doc cannot describe types from gateway-api package HOT 1
- Add a hook for failed test suite
- Option to use Secret as CaCertificateRefs in BackendTLSPolicy HOT 1
- Spanish version of Envoy Gateway documentation HOT 1
- Discussion: Refactoring Connection in BTP and CTP HOT 2
- Installation failed HOT 4
- ci: test K8s v1.30 HOT 1
- Opt in to not require ReferenceGrants for cross namespace non xRoute backends
- docs: Filter Ordering
- docs: Ext Proc
- docs: Run Envoy Gateway like DaemonSet
- How to add context_extensions for ext-auth grpc HOT 2
- Set unique name for FilterChain in xDS listener's FilterChains HOT 5
- Incorrect expiry time in RefreshToken in OIDC? HOT 2
- E2E: Extension Server
- add CEL validation for BackendRef Group
- estE2E/UseClientProtocol/use_client_protocol is flaky
- Docs showing how to fetch Control Plane metrics HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gateway.