Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using jwt_authn filter in an environment behind a proxy. #12028

Closed
ScottGuymer opened this issue Jul 10, 2020 · 10 comments
Closed

Using jwt_authn filter in an environment behind a proxy. #12028

ScottGuymer opened this issue Jul 10, 2020 · 10 comments
Labels
area/jwt_authn question Questions that are neither investigations, bugs, nor enhancements stale stalebot believes this issue/PR has not been touched recently

Comments

@ScottGuymer
Copy link

I started here but could not find any solution applicable.

I want to be able to use jwt_authn filter in a situation where my envoy instance needs to fetch jwks values from a location that is outside the current network and only accessible via a proxy.

I can't seem to find any place within the filter itself to configure the use of any proxy. As I understand it the requests original from envoy itself and use the upstream cluster configuration to access the jwks endpoint. And I cant configure it in a route like I might do for any request originating outside of envoy and being routed by envoy.

I can seem to make sense of any way to configure a proxy from within the cluster configuration itself.

I think i am stuck and cant really make sense of if this is possible (and im just missing the configuration) or if its just not possible.

Snippets of config

Filter Config

- name: envoy.filters.http.jwt_authn
  typed_config:
    '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
    providers:
      oidc_provider:
        issuer: my.issuer
        audiences:
          - my-audience
        forward: 'true'
        remote_jwks:
          http_uri:
            uri: https://my.provider/jwks
            cluster: identity_provider
            timeout: 5s
          cache_duration:
            seconds: 300

cluster config

- name: identity_provider
  connect_timeout: 2s
  type: STRICT_DNS
  load_assignment:
    cluster_name: identity_provider
    endpoints:
      - lb_endpoints:
          - endpoint:
              address:
                socket_address:
                  address: my.provider
                  port_value: 443
@qiwzhang
Copy link
Contributor

jwt_authn filter is using Envoy http_async_client to call remote_jwks. Http_async_client is not using route config inside http_connection_manager. It is using the cluster directly. I don't see there is a way to config a http_proxy in cluster. So there is not way jwt_authn can fetch remote jwks via a http proxy.

@ScottGuymer
Copy link
Author

Do you think it would be possible to configure the jwt filter to a cluster that loops back to envoy on another port that has a correct HTTP filter configuration to use a HTTP proxy?

jwt_authn

- name: envoy.filters.http.jwt_authn
  typed_config:
    '@type': type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
    providers:
      oidc_provider:
        issuer: my.issuer
        audiences:
          - my-audience
        forward: 'true'
        remote_jwks:
          http_uri:
            uri: https://my.provider/jwks
            cluster: localhost_jwks
            timeout: 5s
          cache_duration:
            seconds: 300

jwks cluster

clusters:
  - name: localhost_jwks
    connect_timeout: 1s
    type: logical_dns
    dns_lookup_family: V4_ONLY
    lb_policy: round_robin
    load_assignment:
      cluster_name: gateway
      endpoints:
        - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: localhost_jwks
                    port_value: 8181

router for proxy

static_resources:
  listeners:
    - address:
        socket_address:
          address: 0.0.0.0
          port_value: 8181
      filter_chains:
        - filters:
          - some config for proxy

@ScottGuymer
Copy link
Author

I can see there is some mention of CONNECT in upstream_config for cluster config. But no idea how to configure it
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/cluster/v3/cluster.proto.html

@qiwzhang
Copy link
Contributor

qiwzhang commented Jul 13, 2020 via email

@junr03 junr03 added area/jwt_authn question Questions that are neither investigations, bugs, nor enhancements labels Jul 13, 2020
@ScottGuymer
Copy link
Author

Can you point me towards how I might configure a listener to use a HTTP proxy?

I have something like this. But cant figure out where i would put the proxy server IP and port

 - address:
    socket_address:
      address: 0.0.0.0
      port_value: 8888
  filter_chains:
    - filters:
        - name: envoy.http_connection_manager
          typed_config:
            '@type': type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
            codec_type: auto
            stat_prefix: ingress_http
            route_config:
              name: proxy_jwks
              virtual_hosts:
                - name: proxy
                  domains:
                    - '*'
                  routes:
                    - match:
                        prefix: /
                      route:
                        cluster: identity_provider
            http_filters:
              - name: envoy.router
                typed_config: {}
            upgrade_configs:
              - upgrade_type: CONNECT
                connect_config:
                  {}

@qiwzhang
Copy link
Contributor

qiwzhang commented Jul 14, 2020 via email

@stale
Copy link

stale bot commented Aug 24, 2020

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

@stale stale bot added the stale stalebot believes this issue/PR has not been touched recently label Aug 24, 2020
@stale
Copy link

stale bot commented Aug 31, 2020

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

@stale stale bot closed this as completed Aug 31, 2020
@zhiyong-gayang
Copy link
Contributor

Hi @ScottGuymer, did you figure out how to config the http proxy? I'm looking for the solution for the same issue.

@ScottGuymer
Copy link
Author

Im afraid not. I cant actually recall what we did in the end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jwt_authn question Questions that are neither investigations, bugs, nor enhancements stale stalebot believes this issue/PR has not been touched recently
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ScottGuymer @junr03 @qiwzhang @zhiyong-gayang