Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Claims array (multiple values) to Headers are being base64 encoded #3084

Open
rooque opened this issue Apr 3, 2024 · 3 comments
Open

JWT Claims array (multiple values) to Headers are being base64 encoded #3084

rooque opened this issue Apr 3, 2024 · 3 comments
Labels
stale triage

Comments

@rooque
Copy link

rooque commented Apr 3, 2024
edited
Loading

Description:

I'm trying to use a feature of envoy gateway, JWT Claims to Headers. But when I have a Claim that is an Array, like this

"realm_access": {
    "roles": [
      "poc-roles",
      "offline_access",
      "default-roles-cilium-poc",
      "uma_authorization"
    ]
  }

It is transforming it to a base64 Header, like this:

"X-Token-Roles": "WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl0=",

My config is this:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: jwt-bin
  namespace: my-system
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: bin-route
    namespace: my-system
  jwt:
    providers:
    - name: keycloak
      remoteJWKS:
        uri: xxxxx
      claimToHeaders:
        - claim: resource_access.account.roles
          header: x-token-roles
        - claim: sub
          header: x-token-sub

Is this what is expected? How can I add other checks/redirects if its in base64?

Repro steps:

Use a JWT that contains an claim as a array an put this claim in the claimToHeaders like I did.

Example JWT:

eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjRkNDhlNjU0MGNjMWU4NDhjOWVjOTVhYWY0ZDdlMGU1In0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNzEyMTU0NzI0LCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsicG9jLXJvbGVzIiwib2ZmbGluZV9hY2Nlc3MiLCJkZWZhdWx0LXJvbGVzLWNpbGl1bS1wb2MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfX0.lkZOPZiyiAqlX224cW1I4oQ7cAql77qOg656PonJNJ2uXOM5QSLuQxELwG74df3sgq7SfH8zanV2LIbTkqdK9w

Environment:
Using v1.0.0
@rooque rooque added the triage label Apr 3, 2024
@arkodg
Copy link
Contributor

arkodg commented Apr 10, 2024

looks like its working as expected envoyproxy/envoy#30377
we probably need to update our docs here

@zetaab
Copy link
Contributor

zetaab commented Apr 26, 2024
edited
Loading

@arkodg hmm, does it make it impossible to use groups as authorization if that is base64 encoded? Does envoy have then feature to decode base64 first to make these groups available in authorization? Perhaps it does it before encoding stuff

@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label May 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rooque @arkodg @zetaab