Combining OIDC and JWT authentication

[sadovnikov]

I'm testing OIDC authentication, which is planned for the v1.0 release and, so far, have not discovered any problems with OIDC implementation itself. However, I'm failing to create a SecurityPolicy or their combination to authorise requests using either JWT or OIDC.

In our use case, the same URLs can be used

• by some services, which use JWT, and
• from browsers, where users log in using OIDC

Currently, if OIDC authentication is configured, requests with valid JWT get redirected to the IDP.
Is there a way to configure the gateway to redirect to IDP only those requests that do not have a valid JWT token?

[arkodg]

@sadovnikov are the service clients and browser clients reaching the same designation endpoint ? if not, you could split up intent (different path matches) into separate HTTPRoutes, and a different BackendTrafficPolicy config for each HTTPRoute

[zhaohuabing]

IMO, even though OIDC and JWT are both supported, they should be configured separately in different securitypolicy objects because they serve different purposes.
OIDC is for user authentication whereas JWT is for application authentication.

@sadovnikov I think you don't want OIDC authn for those requests that are not from browsers, right? In that case, a different HTTPRoute should be used and configured with JWT.

[sadovnikov]

@zhaohuabing, thank you for the idea of using a different HTTP Route. I'll give it a try

[sadovnikov]

@zhaohuabing, using two separate HTTP Routes on the same hostname/path with two different Security Policies (one with OIDC authentication, the other with JWT) didn't change anything: requests with valid JWT are still redirected to the IDP login page.

Interestingly enough, the browser clients, who do not send the Authorization: Bearer .... header, successfully open the application pages when both OIDC and JWT security policies are accepted. However, they get "Jwt is missing" when only JWT policy is present. Somehow, the OIDC authentication suppresses JWT, regardless of using a single security policy or two separate ones.

[zhaohuabing]

@sadovnikov Should the HTTPRoutes be at different paths？

Could you please paste the HTTPRoute and SecurityPolicy？

[sadovnikov]

I've done more tests. Now, JWT authentication takes precedence

• logged-in browser users get the "Jwt is missing" message
• requests with the JWT token in the header are coming through

I think, because both HTTP Routes are for the same host/path, EG picks only one of them and the linked Security Policy.

I wonder if using both authentication methods on the same paths should be supported. With Ambassador, it's possible to control the order, in which the filters are applied, and conditionally skip the next filters.

Could you please paste the HTTPRoute and SecurityPolicy？

- apiVersion: gateway.envoyproxy.io/v1alpha1
  kind: SecurityPolicy
  metadata:
    name: cbdp-k8s-sample-web-pr-195-jwt
    namespace: reference-apps
  spec:
    jwt:
      providers:
      - audiences:
        - d8c0c5a5-5b45-4566-9fb2-367e62c397ee
        name: azure
        remoteJWKS:
          uri: https://login.microsoftonline.com/a87b6d3d-d85e-4d9b-8704-6aed76a49444/discovery/v2.0/keys
    targetRef:
      group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: cbdp-k8s-sample-web-pr-195-jwt
  status:
    conditions:
    - lastTransitionTime: "2024-01-12T09:57:27Z"
      message: SecurityPolicy has been accepted.
      reason: Accepted
      status: "True"
      type: Accepted
	  
- apiVersion: gateway.envoyproxy.io/v1alpha1
  kind: SecurityPolicy
  metadata:
    name: cbdp-k8s-sample-web-pr-195-oidc
    namespace: reference-apps
  spec:
    oidc:
      clientID: d8c0c5a5-5b45-4566-9fb2-367e62c397ee
      clientSecret:
        group: ""
        kind: Secret
        name: oauth2-secret-eg
      provider:
        issuer: https://login.microsoftonline.com/a87b6d3d-d85e-4d9b-8704-6aed76a49444/v2.0
      scopes:
      - api://d8c0c5a5-5b45-4566-9fb2-367e62c397ee/oidc
      - offline_access
    targetRef:
      group: gateway.networking.k8s.io
      kind: HTTPRoute
      name: cbdp-k8s-sample-web-pr-195-oidc
  status:
    conditions:
    - lastTransitionTime: "2024-01-12T13:01:29Z"
      message: SecurityPolicy has been accepted.
      reason: Accepted
      status: "True"
      type: Accepted
	  
- apiVersion: gateway.networking.k8s.io/v1
  kind: HTTPRoute
  metadata:
    name: cbdp-k8s-sample-web-pr-195-jwt
    namespace: reference-apps
  spec:
    hostnames:
    - reference-apps.platform-lab.internal.xxx.yyy
    parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: default
      namespace: envoy-gateway-system
    rules:
    - backendRefs:
      - group: ""
        kind: Service
        name: cbdp-k8s-sample-web-pr-195
        port: 80
        weight: 1
      matches:
      - path:
          type: PathPrefix
          value: /cbdp-k8s-sample-pr-195
      timeouts:
        request: 10000ms
  status:
    parents:
    - conditions:
      - lastTransitionTime: "2024-01-12T09:57:27Z"
        message: Route is accepted
        observedGeneration: 1
        reason: Accepted
        status: "True"
        type: Accepted
      - lastTransitionTime: "2024-01-12T09:57:27Z"
        message: Resolved all the Object references for the Route
        observedGeneration: 1
        reason: ResolvedRefs
        status: "True"
        type: ResolvedRefs
      controllerName: gateway.envoyproxy.io/gatewayclass-controller
      parentRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: default
        namespace: envoy-gateway-system
		
- apiVersion: gateway.networking.k8s.io/v1
  kind: HTTPRoute
  metadata:
    name: cbdp-k8s-sample-web-pr-195-oidc
    namespace: reference-apps
  spec:
    hostnames:
    - reference-apps.platform-lab.internal.xxx.yyy
    parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: default
      namespace: envoy-gateway-system
    rules:
    - backendRefs:
      - group: ""
        kind: Service
        name: cbdp-k8s-sample-web-pr-195
        port: 80
        weight: 1
      matches:
      - path:
          type: PathPrefix
          value: /cbdp-k8s-sample-pr-195
      timeouts:
        request: 10000ms
  status:
    parents:
    - conditions:
      - lastTransitionTime: "2024-01-12T09:57:27Z"
        message: Route is accepted
        observedGeneration: 1
        reason: Accepted
        status: "True"
        type: Accepted
      - lastTransitionTime: "2024-01-12T09:57:27Z"
        message: Resolved all the Object references for the Route
        observedGeneration: 1
        reason: ResolvedRefs
        status: "True"
        type: ResolvedRefs
      controllerName: gateway.envoyproxy.io/gatewayclass-controller
      parentRef:
        group: gateway.networking.k8s.io
        kind: Gateway
        name: default
        namespace: envoy-gateway-system

[zhaohuabing]

These two HTTPRoutes are equivalent, they both match the same requests sent to "reference-apps.platform-lab.internal.xxx.yyy/cbdp-k8s-sample-pr-195". So when the requests com in, they may be sent to one route or the other, depends on which HTTPRoute is the first one in the xDS route configuration, which is random.

I suggest a configuration like this:

• Two HTTPRoutes, which matches different paths, one for api/application access, one for user/browser access.
• Two SecurityPolicies, jwt authn for api/application access HTTPRoute, oidc authn for user/browser access HTTPRoute.

- apiVersion: gateway.networking.k8s.io/v1
  kind: HTTPRoute
  metadata:
    name: cbdp-k8s-sample-web-pr-195-jwt
    namespace: reference-apps
  spec:
    hostnames:
    - reference-apps.platform-lab.internal.xxx.yyy
    parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: default
      namespace: envoy-gateway-system
    rules:
    - backendRefs:
      - group: ""
        kind: Service
        name: cbdp-k8s-sample-web-pr-195
        port: 80
        weight: 1
      matches:
      - path:
          type: PathPrefix
          value: /cbdp-k8s-sample-pr-195/application-endpoint

- apiVersion: gateway.networking.k8s.io/v1
  kind: HTTPRoute
  metadata:
    name: cbdp-k8s-sample-web-pr-195-oidc
    namespace: reference-apps
  spec:
    hostnames:
    - reference-apps.platform-lab.internal.xxx.yyy
    parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: default
      namespace: envoy-gateway-system
    rules:
    - backendRefs:
      - group: ""
        kind: Service
        name: cbdp-k8s-sample-web-pr-195
        port: 80
        weight: 1
      matches:
      - path:
          type: PathPrefix
          value: /cbdp-k8s-sample-pr-195/user-endpoint

Or they can use different hostname such as "api.reference-apps.platform-lab.internal.xxx.yyy" and "www.reference-apps.platform-lab.internal.xxx.yyy"

With Ambassador, it's possible to control the order, in which the filters are applied, and conditionally skip the next filters.

I think we can put the jwt filter in front of the oauth2 filter, but I guess you wouldn't want OIDC for those requests that only need jwt. As I said, they serve different purposes.

[sadovnikov]

@zhaohuabing, I understand your answer. Thank you!

Most probably, now we'll go with using different hostnames. However, I think, the question of ordering and combining different authentication methods on the same "host/path" will be coming up from other users too

[zhaohuabing]

@sadovnikov Different authentication methods(Basic, JWT, OIDC, etc) can be combined in a SecurityPolicy and targets on the same HTTPRoute(same host and path). But you can't "configure the gateway to redirect to IDP only those requests that do not have a valid JWT token". The request will go through all the authentication methods configured on the HTTPRoute.

Regarding the ordering, do you have any specific use cases that you need to change the order of the filters for different Route?

[sadovnikov]

The request will go through all the authentication methods configured on the HTTPRoute

I don't see any header in the browser requests, but JWT auth lets them through. Does JWT authentication accept the BearerToken from cookies, which are set by OIDC?

do you have any specific use cases that you need to change the order of the filters for different Route?

No, I do not. The current implementation may be good enough. However, if somebody adds basicAuth to the mix (we are not going to do this), I would have difficulty predicting the priorities.

Thanks again for your attention

[zhaohuabing]

I don't see any header in the browser requests, but JWT auth lets them through. Does JWT authentication accept the BearerToken from cookies, which are set by OIDC?

Yes, JWT token can be extracted from cookies by configuring the ExtractFrom field in the JWT settings of SecurityPolicy.

[sadovnikov]

The request will go through all the authentication methods configured on the HTTPRoute

I was asking about this because currently we do not use ExtractFrom in JWT auth configuration. So I'd be expecting only the Authorisation header to be used. However, the browser requests without the header are accepted. Therefore either JWT auth also checks cookies by default or authentication methods are skipped after the first match on OIDC.

spec:
  jwt:
    providers:
    - audiences:
      - d8c0c5a5-5b45-4566-9fb2-367e62c397ee
      name: azure
      remoteJWKS:
        uri: https://login.microsoftonline.com/a87b6d3d-d85e-4d9b-8704-6aed76a49444/discovery/v2.0/keys
  oidc:
    clientID: d8c0c5a5-5b45-4566-9fb2-367e62c397ee
    clientSecret:
      group: ""
      kind: Secret
      name: oauth2-secret-eg
    provider:
      issuer: https://login.microsoftonline.com/a87b6d3d-d85e-4d9b-8704-6aed76a49444/v2.0
    scopes:
    - api://d8c0c5a5-5b45-4566-9fb2-367e62c397ee/oidc
    - offline_access
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: cbdp-k8s-sample-web-pr-195

[zhaohuabing]

I got it. It could be a bug. Could you please raise an issue and attache related HTTPRoute and SecurityPolicy? We can track this in that issue.

It will also be very useful if you could paste the configuration pushed to the envoy by execute "egctl config envoy-proxy all". If there're any sensitive information in the config, you can mask them before pasting the config.

@sadovnikov

[sadovnikov]

I logged

• a feature request Filters for OIDC authentication mechanisms #2496 and
• a bug report Security policy from different route interferes authentication #2507

[evilr00t]

Not sure if this is the best place to ask but subject seems to be on point.

We have OIDC provider configured as below:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: foobar-public
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: foobar-public
# NOTE: when uncommented then shows: Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections 
# ^ after being successfully authenticated using OIDC
#  jwt:
#    providers:
#      - name: jumpcloud
#        remoteJWKS:
#          uri: "https://oauth.id.jumpcloud.com/.well-known/jwks.json"
  oidc:
    provider:
      issuer: "https://oauth.id.jumpcloud.com"
    clientID: "FOOBAR"
    clientSecret:
      kind: Secret
      name: "foobar-client-secret"
    logoutPath: "/logout"
    redirectURL: https://FOOBAR/oauth2/callback
    scopes:
      - openid
      - email

We can see that Authorization: Bearer XYZ is being passed to the backend service, unfortunately this is not valid JWT token as JWT Token is being kept in the Cookie at the IdToken name, what is the best workflow to pass JWT Token (IdToken) as a Header using Gateway? For static headers we can use

      filters:
        - type: RequestHeaderModifier
          requestHeaderModifier:
            add:
              - name: "FOOBAR"
                value: "XYZ"

but how we can reference value from Cookie / Envoy / OIDC? 🤔

[arkodg]

@zhaohuabing shouldnt the JWT from OIDC live in Authorization: by default ?
@evilr00t , JWT can be extracted from other headers using this https://gateway.envoyproxy.io/latest/api/extension_types/#jwtextractor

[zhaohuabing]

@arkodg @evilr00t We can enable forward_bearer_token by default and put the bearer token in Authorization header, but the Envoy oauth2 filter doesn't support putting id token in Authorization header.

A forward_id_token knob needs to be added to the upstream oauth2 filter for that.

IMO, we can add an example in the user doc to show how to use jwtextractor to get the id token from OIDC.

[arkodg]

ah thanks @zhaohuabing, what does the OIDC spec say, is the right home for the jwt ?

[zhaohuabing]

I'm not aware of any OIDC spec about placing the id token in HTTP headers. In the OIDC Authorization Code Flow, the id token is returned in the response body from the token endpoint.

Normally, the Authorization header bear token is an access token, I guess that's why oauth2 filter provides an option to put bearer token in it.

[zhaohuabing]

Raised an issue in Envoy upstream: envoyproxy/envoy#32805 to track this.