Open carlin-q-scott opened 1 year ago
Hi @carlin-q-scott, thanks for raising this issue and the workaround. I wouldn't think ext_authz would be interfering if bypass_auth is used but perhaps there is some lag/ordering issue in chain of events. Also found this Envoy issue which may also be related.
@cindymullins-dw Yeah, looks like they implemented the same workaround as me. They were also using emissary-ingress.
I don't think I can give much input on the lag/ordering you mention since I don't know the internal workings of emissary and envoy. Are the request chains executing in parallel and first one to respond wins? So when I make a request to my bypass_auth Mapped service, emissary goes ahead and makes a request to the AuthService and would cancel that request if the target service responds faster? One theory I had was that emissary or envoy is reusing the request forwarder for the AuthService when fulfilling the request to the Mapped service since they are in fact the same service.
Describe the bug I have an AuthService with a Mapping that has bypass_auth set to true. Sometimes a request to auth service goes through AuthService instead of the Mapping.
The situation where we're frequently seeing this is:
Our Auth service manifest:
To Reproduce Steps to reproduce the behavior:
Expected behavior The full browser request makes it to the callback endpoint on the auth service
Versions (please complete the following information):
Additional context
Comparison of original request (authz) and browser refresh:
Workaround Allow the accept and content-type header to be passed through to the authz endpoint by adding this to the AuthService definition: