gateway icon indicating copy to clipboard operation
gateway copied to clipboard
verified publisher icon envoyproxy

JWT Claims array (multiple values) to Headers are being base64 encoded

Open rooque opened this issue 1 year ago • 2 comments

Description:

I'm trying to use a feature of envoy gateway, JWT Claims to Headers. But when I have a Claim that is an Array, like this

"realm_access": {
    "roles": [
      "poc-roles",
      "offline_access",
      "default-roles-cilium-poc",
      "uma_authorization"
    ]
  }

It is transforming it to a base64 Header, like this:

"X-Token-Roles": "WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl0=",

My config is this:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: jwt-bin
  namespace: my-system
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: bin-route
    namespace: my-system
  jwt:
    providers:
    - name: keycloak
      remoteJWKS:
        uri: xxxxx
      claimToHeaders:
        - claim: resource_access.account.roles
          header: x-token-roles
        - claim: sub
          header: x-token-sub

Is this what is expected? How can I add other checks/redirects if its in base64?

Repro steps:

Use a JWT that contains an claim as a array an put this claim in the claimToHeaders like I did.

Example JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjRkNDhlNjU0MGNjMWU4NDhjOWVjOTVhYWY0ZDdlMGU1In0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzEyMTU0NzI0LCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicG9jLXJvbGVzIiwib2ZmbGluZV9hY2Nlc3MiLCJkZWZhdWx0LXJvbGVzLWNpbGl1bS1wb2MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfX0.lkZOPZiyiAqlX224cW1I4oQ7cAql77qOg656PonJNJ2uXOM5QSLuQxELwG74df3sgq7SfH8zanV2LIbTkqdK9w

Environment: Using v1.0.0

rooque avatar Apr 03 '24 14:04 rooque

looks like its working as expected https://github.com/envoyproxy/envoy/pull/30377 we probably need to update our docs here

arkodg avatar Apr 10 '24 17:04 arkodg

@arkodg hmm, does it make it impossible to use groups as authorization if that is base64 encoded? Does envoy have then feature to decode base64 first to make these groups available in authorization? Perhaps it does it before encoding stuff

zetaab avatar Apr 26 '24 21:04 zetaab

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

github-actions[bot] avatar May 27 '24 00:05 github-actions[bot]