envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

gcp_authn: GCP ID token is appended to existing Authorization header

Open fiadliel opened this issue 3 years ago • 4 comments

Description: When the gcp_authn plugin is configured for a route, it should set the appropriate Authorization header to allow connections to be made to the backend (e.g. Cloud Run). The expected format is a Bearer token. However, if an incoming request includes an existing Authorization token, the plugin appends to the existing value.

Repro steps: Send a HTTP request to the envoy service that includes an Authorization header, to a route that has the gcp_authn plugin configured. The result is that both strings are sent (comma separated).

For example, if the original header is Authorization: abc then the request sent to the backend will look like Authorization: abc,Bearer eyJhbGciOiJ...

The result, if calling a Cloud Run service, would look like www-authenticate: Bearer error="invalid_token" error_description="Authorization header format was not recognized"

I believe this is because of https://github.com/envoyproxy/envoy/blob/370f60b81d936a106a09689d355d45fd0da7d6b5/source/extensions/filters/http/gcp_authn/gcp_authn_filter.cc#L18 which calls Http::RequestHeaderMap::addCopy, where it might instead want to call Http::RequestHeaderMap::setCopy to replace any existing value.

fiadliel avatar Aug 31 '22 12:08 fiadliel

cc @tyxia @yanavlasov

mattklein123 avatar Aug 31 '22 15:08 mattklein123

/assign @tyxia

tyxia avatar Sep 01 '22 00:09 tyxia

@fiadliel Thanks for using this filter and detailed information about issue and root cause analysis! It make sense to me. I have raised a PR(#22934)to fix it.

tyxia avatar Sep 02 '22 13:09 tyxia

#22934 has been merged. @fiadliel, Could you test it and close this issue if it works for you?

Thanks!

tyxia avatar Sep 20 '22 19:09 tyxia

@tyxia Looks good, thanks!

Btw sorry that this isn't exactly the right forum in a way, but just comments / thoughts after using it:

  • would be nice if it could be updated in future to be an upstream HTTP filter - might allow reuse with WASM/Lua calls, xDS APIs
  • I can't imagine another value for the metadata URL (well, until GCE gets the ability to access multiple service accounts), so it might be nice to make the value optional

Thanks a lot for the work, it's been very useful!

fiadliel avatar Sep 26 '22 12:09 fiadliel

Thanks for the feedback and your thoughts! I am glad this work has been useful.

Yea, this filter is in early stage and we are definitely open to any suggestions and we will iterate on that as our development and products roll out. I think your second point is in scope of our future work. I will keep your ideas in mind and keep you posted if we have any new features or updates.

Thanks for using this filter and valuable feedback!

tyxia avatar Oct 04 '22 15:10 tyxia