Security policy from different route interferes authentication #2507
Comments
|
HTTP Routes Security Policies |
|
I can confirm it happened on our installations as well, while applying an ODIC security policy to an isolated httproute (hostname + path prefix) hostnames:
- xxxxx.aaaa.com
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: eg
namespace: envoy-gateway-system
rules:
- backendRefs:
- kind: Service
name: auth-generator-api
port: 8085
matches:
- path:
type: PathPrefix
value: /the OIDC redirection triggered on some others HTTPRoute for example a route supposed to match /v1/users triggered the OIDC redirect with the url /v1/users/ (trailing slash)rather than the usual 404. When removing the security policy on xxxxx.aaaa.com, the expected 404 on zzzzzz.aaaa.com reappeared. Maybe it should be another ticket, since the title is matching but not the description, the security policy with the OIDC has been applied to another route that had nothing to do with it, not protected by OIDC at all. |
|
assigning this to @zhaohuabing since he's been debugging this and has a solution, most likely the API will need to be revisited to include a user defined hmac secret (similar to #2567) |
@sadovnikov I believe you can't use identical OIDC settings for two different HTTPRoutes because the callback url on the IDP side can only point to one HTTPRoute, and you want to make sure the callback url is caught by the targeting HTTPRoute. Instead, you should have something like the below: |
I reproduced this in my test env. Somehow a request that misses all the routes still hits the filters in the HCM filter chain even though these filters are disabled in the |
github-project-automation
bot
moved this from Todo
to Done
in Envoy Gateway: The Road to GA
|
This has been fixed in EG with #2586. Reopen it to track the upstream issue (which I haven't created yet). |
|
fixed with #2663 |
Description:
Reusing the same
Gateway, we created two pairs ofHTTPRoutewith matchingSecurityPolicy, which use identical IDP settings for OIDC. The HTTP Routes are on different hosts. Both hosts are CNAMEs to the same A-record, with the IP address of the Gateway serviceOpening of https://reference-apps.platform-staging.gcp.internal.xxx.org/cbdp-k8s-sample-pr-195 in an incognito tab goes through the login process and the application page gets opened.
However, the opening of https://reference-apps-twin.platform-staging.gcp.internal.xxx.org/cbdp-k8s-sample-eg/ in a new incognito tab gives "too many redirects" after the login page. This link starts working when the
cbdp-k8s-sample-web-pr-195Security Policy, which belongs to a different HTTP Route, is deleted.Repro steps:
envoy-proxy-min-err.jsonis the Envoy configuration with both Security Policies presentenvoy-proxy-min-ok.jsonis the Envoy configuration without thecbdp-k8s-sample-web-pr-195Security Policyenvoy-proxy-min-err.json
envoy-proxy-min-ok.json
Environment:
Envoy Gateway is deployed using the
v0.0.0-latestHelm chart.Container
Logs:
envoy-log.txtis the envoy proxy log from "too many redirects"envoy-log.txt
The text was updated successfully, but these errors were encountered: