Fix bug determining jwt validity due to incorrect computation of system timestamp and provide configuration option to allow for timely slack in token validity #10753
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,6 +13,8 @@ | |
| #include "jwt_verify_lib/jwt.h" | ||
| #include "jwt_verify_lib/verify.h" | ||
|
|
||
| #include "absl/time/clock.h" | ||
|
|
||
| using ::google::jwt_verify::CheckAudience; | ||
| using ::google::jwt_verify::Status; | ||
|
|
||
|
|
@@ -98,6 +100,10 @@ class AuthenticatorImpl : public Logger::Loggable<Logger::Id::jwt>, | |
| const bool is_allow_failed_; | ||
| const bool is_allow_missing_; | ||
| TimeSource& time_source_; | ||
|
|
||
| // allow 5 seconds of slack when determining token expery | ||
| const uint64_t jwt_exp_slack = 5; | ||
| uint64_t now; | ||
|
There was a problem hiding this comment. not need to add anything to class members. |
||
| }; | ||
|
|
||
| std::string AuthenticatorImpl::name() const { | ||
|
|
@@ -153,23 +159,23 @@ void AuthenticatorImpl::startVerify() { | |
| return; | ||
| } | ||
|
|
||
| // Check "exp" claim. | ||
| // We use the current system time and allow for up to 5 seconds of slack. | ||
| // Consider the following case: | ||
| // AWS ALB receives a request and determines that the existing access token is valid | ||
| // (for another 1 seconds), forwards the request to Istio Ingressgateway and subsequently | ||
| // to some pod with an envoy sidecar. Meanwhile, 0.1 seconds have passed and when envoy checks | ||
| // the token it finds that it has expired. | ||
| now = absl::ToUnixSeconds(absl::Now()); | ||
| // If the nbf claim does *not* appear in the JWT, then the nbf field is defaulted | ||
| // to 0. | ||
| if (jwt_->nbf_ > now) { | ||
| doneWithStatus(Status::JwtNotYetValid); | ||
| return; | ||
| } | ||
| // If the exp claim does *not* appear in the JWT then the exp field is defaulted | ||
| // to 0. | ||
| if (jwt_->exp_ > 0 && jwt_->exp_ < now - jwt_exp_slack) { | ||
| doneWithStatus(Status::JwtExpired); | ||
| return; | ||
| } | ||
|
|
@@ -237,7 +243,7 @@ void AuthenticatorImpl::onDestroy() { | |
|
|
||
| // Verify with a specific public key. | ||
| void AuthenticatorImpl::verifyKey() { | ||
| const Status status = ::google::jwt_verify::verifyJwt(*jwt_, *jwks_data_->getJwksObj(), now - jwt_exp_slack); | ||
|
There was a problem hiding this comment. We don't need to double check the exp an bnf here. My suggestion is:
There was a problem hiding this comment. Err. Are you sure? jwt_verify_lib isn't an Istio thing, is it? |
||
| if (status != Status::Ok) { | ||
| doneWithStatus(status); | ||
| return; | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is better to config this slack time from filter config. If default is 0, it will not change existing behaviors.
We can add two fields:
exp_slack: // now <= exp + exp_slack
bnf_slack: // now >= bnf - bnf_slack
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How do I use filter config?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add new fields in Provider
you can get provider() as
jwks_data_->getJwtProvider()
as in line
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Working on it. Think I need a proper build environment. Is there some documentation to set it up?
Can't find it in https://github.com/envoyproxy/envoy/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can check out this developer doc
The easiest way is to use docker
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah. Good. Will do the docker thingy.