Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwt verification skipped #6760

Open
jayrlowe opened this issue Nov 11, 2024 · 3 comments
Open

jwt verification skipped #6760

jayrlowe opened this issue Nov 11, 2024 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. kind/question Categorizes an issue as a user question. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@jayrlowe
Copy link

jayrlowe commented Nov 11, 2024
edited
Loading

I have an AWS NLB with SSL offloading which sends that traffic to port 8080. The request flows through fine, but the JWT verification is not working. I would expect a 401, but get a 200 returned from the backend service.

I deployed contour onto EKS with the helm chart - v19.3.1

I would expect it to ask for a token with this request:

kubectl exec -it -n default curl-test -- curl -v \   
  https://<redacted>/

This is my HTTPProxy.

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: test-jwt-proxy
  namespace: default
spec:
  virtualhost:
    fqdn: <redacted>
    tls:
      secretName: test-jwt-tls-secret
    jwtProviders:
      - name: cognito
        default: true
        issuer: https://cognito-idp.<redacted>.amazonaws.com/<redacted>
        remoteJWKS:
          uri: https://cognito-idp.<redacted>.amazonaws.com/<redacted>/.well-known/jwks.json
        forwardJWT: true
  routes:
    - conditions:
      - prefix: /
      jwtVerificationPolicy:
        require: cognito
        disabled: false
      services:
        - name: test-jwt
          port: 80
      permitInsecure: true
@jayrlowe jayrlowe added kind/question Categorizes an issue as a user question. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Nov 11, 2024
@github-actions GitHub Actions
Copy link

Hey @jayrlowe! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

@jayrlowe
Copy link
Author

After reviewing the code, it looks like JWT verification won't work unless envoy terminates the TLS connection. I verified this was the case by setting up my NLB as a passthrough. So I guess this is more of a feature request now. Given that terminating TLS at a load balancer is a very common pattern, it would be nice to be able to use JWT verification without forcing TLS in the HTTPProxy.

@izturn izturn added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 13, 2024
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. kind/question Categorizes an issue as a user question. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@izturn @jayrlowe