envoy icon indicating copy to clipboard operation
envoy copied to clipboard
verified publisher icon envoyproxy

Cannot access JWT provider failed_status_in_metadata in lua response

Open mcdafydd opened this issue 1 year ago • 4 comments

Title: Cannot access JWT provider failed_status_in_metadata in lua response

Description:

Using recent envoy build:

"version": "1ddf0f5d8fade9c4209a12b34f6959bc7a90e840/1.30.0-dev/Clean/RELEASE/BoringSSL",

When setting failed_status_in_metadata: failed_status in a jwt_authn filter provider and supplying an invalid JWT token in a request, no dynamic metadata is available in envoy.filters.http.jwt_authn.failed_status` within the lua envoy_on_response() function.

Repro steps:

Configure the jwt_authn plugin and lua plugins as follows:

- name: envoy.filters.http.jwt_authn
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
    providers:
      authspa:
        issuer: https://issuer
        remote_jwks:
          http_uri:
            uri: https://jwks_uri
            cluster: authspa_jwks_cluster
            timeout: 1s
          cache_duration:
            seconds: 300
        forward: true
        forward_payload_header: x-jwt
        payload_in_metadata: jwt_payload
        failed_status_in_metadata: failed_status
    rules:
    - match:
        prefix: /
      requires:
        provider_name: authspa
- name: envoy.filters.http.lua
   typed_config:
     "@type": type.googleapis.com/envoy.extensions.filters.http.lua.v3.Lua
   default_source_code:
     inline_string: |
       function envoy_on_response(response_handle)
         local meta = response_handle:streamInfo():dynamicMetadata()
         local jwtMeta = meta:get("envoy.filters.http.jwt_authn")
         if type(jwtMeta) == "nil"
         then
           response_handle:logWarn("envoy.filters.http.jwt_authn dynamic metadata is not available.")
           return
         end

Logs:

[2024-03-10 10:51:40.220][40][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:162] authspa: JWT authentication starts (allow_failed=false), tokens size=1
[2024-03-10 10:51:40.220][40][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:450] Code: 3 Message: Jwt is expired
[2024-03-10 10:51:40.220][40][debug][http] [source/common/http/filter_manager.cc:1017] [Tags: "ConnectionId":"0","StreamId":"7547608061384460992"] Preparing local reply with details jwt_authn_access_denied{Jwt_is_expired}
[2024-03-10 10:51:40.220][40][debug][http] [source/common/http/filter_manager.cc:1059] [Tags: "ConnectionId":"0","StreamId":"7547608061384460992"] Executing sending local reply.
[2024-03-11 10:34:43.196][37][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:97] Called Filter : decodeHeaders Stop
[2024-03-10 10:51:40.220][40][warning][lua] [source/extensions/filters/http/lua/lua_filter.cc:925] script log: envoy.filters.http.jwt_authn dynamic metadata is not available.

mcdafydd avatar Mar 11 '24 10:03 mcdafydd

cc @lizan @taoxuy

nezdolik avatar Mar 11 '24 13:03 nezdolik

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] avatar Apr 10 '24 16:04 github-actions[bot]

Noticing similar behavior. Could this be looked into?

arulthileeban avatar Apr 11 '24 19:04 arulthileeban

The use case we're looking at for this feature is a way to support multiple oauth2 providers using the per-route configuration idea mentioned in #29641. One oauth2 provider would be accessed via an IdP link to a specific route, while requests arriving at "/" could leverage the failed_status_in_metadata information in a lua filter to redirect users to the oauth2 path for the second IdP.

mcdafydd avatar May 10 '24 18:05 mcdafydd