-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC filter randomly failing in v1.2 due to missing information in token request #4718
Comments
@jaynis Could you please share your SecurityPolicy (Sensitive info can be extracted)? Do you use OIDC with JWT? |
@zhaohuabing I use the following configuration which I dont consider special and which has been working fine in previous envoy gateway versions. Also, as I have mentioned before, this configuration initially works even with version 1.2.1 and then stops working after some point. Havent figured out yet when exactly, but adding further apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: dashboard-security-policy
namespace: tools
spec:
oidc:
clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
clientSecret:
kind: Secret
name: dashboard-security-policy-oidc-secret
provider:
issuer: https://sts.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
redirectURL: https://dashboard.example.com/oidc/callback
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: dashboard-route
---
apiVersion: v1
data:
client-secret: cmVkYWN0ZWQK
kind: Secret
metadata:
name: dashboard-security-policy-oidc-secret
namespace: tools
type: Opaque
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: dashboard-route
namespace: tools
spec:
hostnames:
- dashboard.example.com
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: envoy-gateway-https
namespace: default
rules:
- backendRefs:
- group: ""
kind: Service
name: dashboard-service
port: 8080
weight: 1
matches:
- path:
type: PathPrefix
value: / |
@jaynis Thanks for providing the SecurityPolicy. Also if you can use |
we are facing same issue in multiple clusters with egctl I can see following
then in envoyproxy logs
rollbacking envoy gateway makes everything working. |
@jaynis could you check do you see similar behaviour in your installation? |
@plnordquist as you did that other ticket, can you check your setup as well. Do you see similar in envoyproxy logs and with egctl? |
@zetaab This looks like different than the one reported by @jaynis and caused by a failure to initialize xDS secret. Are there any errors/warnings in the EG logs when this happened? This could be caused by the same reason of #4706 . |
@zhaohuabing I went through the commit list in release/v1.2 and tracked the breaking commit which is #4227 before that everything works fine, and with that pr commit I start to see errors in logs and oidc will not work. I could not find any commit after that which works. |
Hi @zetaab . I can see the same things with @zhaohuabing I have a config dump created with |
but yes, with 1.2.1 I can see
with last working commit 5375cf0
breaking commit a351c4b (PR #4227)
|
@jaynis I use cognito and will get back that my client_id is not working. However, with debug log I can see that client_id is there and client_secret is empty |
@zetaab Thanks for digging into this. #4707
Thanks for testing. This is a known issue and should be fixed by #4707. |
I can confirm that #4707 will fix this issue at least for me |
@jaynis Sharing the output of the |
The missing client ID is the same issue I faced as well @zhaohuabing |
Yeah, somehow Entra asked a client id in the request body. I'm still trying to figure it out. |
@zhaohuabing I have attached the Seemingly #4707 fixes the issue for me as well. But as already described initially, there is some randomness involved and therefore it is hard to say this for certain. Is there any ETA for merging #4707 respectively for v1.2.2? |
We'll try to relese v1.2.2 by the end of this week. |
@jaynis @zetaab @missBerg Could you please confirm if the latest EG image resolves your issue? State encoding issue has been fixed by envoyproxy/envoy#37473 . |
@zhaohuabing yeah we are using 1.2.3 without issues. However, there is/was another issue which prevented us running multiple controllers. Its maybe fixed already, cannot find it now |
|
I can confirm that OIDC filters are working again with v1.2.3. |
Hi. With envoy gateway version 1.1.2 (envoy version 1.31.2) all my OIDC filters were working fine. I havent touched any of my
SecurityPolicies
and updated to 1.2.1 (envoy version 1.32.1) and now I get aOAuth flow failed
error in the browser withoauth.missing_credentials
in the envoy logs. When I enable debug logging I additionally see my IDP (Microsoft Entra ID fka AAD) complaining about a missingclient_id
in the POST body during the OIDC token request:AADSTS900144: The request body must contain the following parameter: 'client_id'
.I further troubleshooted this by doing a fresh envoy gateway installation in version 1.2.1 on a separate cluster and gradually applying configuration to it. While doing this I noticed that apparently OIDC is working fine in the beginning and then fails at some point. Furthermore, this seems to happen quite randomly: Sometimes a certain OIDC filter is working, then after some time of usage or after applying some unreleated envoy resources to the cluster it stops working and after some time it might even recover and be working again. Generally I have the feeling that the more different OIDC filters are in place on a cluster the more likely it is to cause this issue.
This issue might be related to #4625 which describes similar behavior with a different IDP, but suspects the
nonce
as the cause.#4706, which is about a general instability of OIDC (in conjunction with JWT authorization), could be related as well.
The text was updated successfully, but these errors were encountered: