Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwt verification skipped #6760

Open
jayrlowe opened this issue Nov 11, 2024 · 2 comments
Open

jwt verification skipped #6760

jayrlowe opened this issue Nov 11, 2024 · 2 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. kind/question Categorizes an issue as a user question. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor.

Comments

@jayrlowe
Copy link

jayrlowe commented Nov 11, 2024
edited
Loading

I have an AWS NLB with SSL offloading which sends that traffic to port 8080. The request flows through fine, but the JWT verification is not working. I would expect a 401, but get a 200 returned from the backend service.

I deployed contour onto EKS with the helm chart - v19.3.1

I would expect it to ask for a token with this request:

kubectl exec -it -n default curl-test -- curl -v \   
  https://<redacted>/

This is my HTTPProxy.

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: test-jwt-proxy
  namespace: default
spec:
  virtualhost:
    fqdn: <redacted>
    tls:
      secretName: test-jwt-tls-secret
    jwtProviders:
      - name: cognito
        default: true
        issuer: https://cognito-idp.<redacted>.amazonaws.com/<redacted>
        remoteJWKS:
          uri: https://cognito-idp.<redacted>.amazonaws.com/<redacted>/.well-known/jwks.json
        forwardJWT: true
  routes:
    - conditions:
      - prefix: /
      jwtVerificationPolicy:
        require: cognito
        disabled: false
      services:
        - name: test-jwt
          port: 80
      permitInsecure: true
@jayrlowe jayrlowe added kind/question Categorizes an issue as a user question. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor. labels Nov 11, 2024
@github-actions GitHub Actions
Copy link

Hey @jayrlowe! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

@jayrlowe
Copy link
Author

After reviewing the code, it looks like JWT verification won't work unless envoy terminates the TLS connection. I verified this was the case by setting up my NLB as a passthrough. So I guess this is more of a feature request now. Given that terminating TLS at a load balancer is a very common pattern, it would be nice to be able to use JWT verification without forcing TLS in the HTTPProxy.

@izturn izturn added the kind/feature Categorizes issue or PR as related to a new feature. label Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. kind/question Categorizes an issue as a user question. lifecycle/needs-triage Indicates that an issue needs to be triaged by a project contributor.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@izturn @jayrlowe