search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.67k stars 4.75k forks source link

OAuth2 with Azure AD works on v1.22.0 but it doesn't work on the versions 1.22.1 until lastest #25096

Open thailakadre opened 1 year ago

thailakadre commented 1 year ago

Hi, I am having some problems using Envoy, and I need help. I am using Envoy with Azure AD authentication. I followed this https://github.com/envoyproxy/envoy/issues/20179 link and saw that it is possible on the 1.22.0 version. However, something after this version broke the fix, or I am not doing this correctly. Furthermore, I am getting a problem with the routes. Only when I use the authentication do I get an unstable error, and the path is missing a "/".

Then let me explain better.

This is my envoy.yaml

`node:
  id: nodeid
  cluster: clusterid

admin:
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 9902

static_resources:

  listeners:
  - name: private_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 3000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          access_log:
          - name: envoy.access_loggers.stdout
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
          http_filters:
          - name: envoy.filters.http.oauth2
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
              config:
                auth_scopes:
                - openid
                token_endpoint:
                  cluster: azure_oauth2
                  uri: "https://login.microsoftonline.com/<<mytenantID>>/oauth2/v2.0/token"
                  timeout: 120s
                authorization_endpoint: "https://login.microsoftonline.com/<<mytenantID>>/oauth2/v2.0/authorize"
                credentials:
                  client_id: "<<myclientID>>"
                  token_secret:
                    name: token
                    sds_config:
                      resource_api_version: V3
                      path_config_source:
                        path: "/etc/envoy/token-secret.yaml"
                  hmac_secret:
                    name: hmac
                    sds_config:
                      resource_api_version: V3
                      path_config_source:
                        path: "/etc/envoy/hmac-secret.yaml"
                redirect_uri: "https://%REQ(:authority)%/callback"               
                redirect_path_matcher:
                  path:
                    exact: /callback
                signout_path:
                  path:
                    exact: /signout
                forward_bearer_token: true
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          route_config:
            name: private_routes
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/servicea"
                route:
                  prefix_rewrite: "/api/v1"
                  cluster: servicea
              - match:
                  prefix: "/serviceb"
                route:
                  prefix_rewrite: "/api/v1/b"
                  cluster: serviceb        

  clusters:
  - name: azure_oauth2
    connect_timeout: 5s
    type: LOGICAL_DNS
    lb_policy: ROUND_ROBIN
    dns_lookup_family: V4_ONLY 
    dns_refresh_rate: 1s   
    load_assignment:
      cluster_name: azure_oauth2
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: login.microsoftonline.com
                port_value: 443
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        sni: login.microsoftonline.com
  - name: servicea
    connect_timeout: 3s
    type: LOGICAL_DNS
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: servicea
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: <<docker-image-name>>
                port_value: 80
  - name: serviceb
    connect_timeout: 0.25s
    type: LOGICAL_DNS
    dns_lookup_family: V4_ONLY
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: serviceb
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: <<second-docker-image>>
                port_value: 80`

I connected by user credentials:

  1. access this url https://login.microsoftonline.com/<>/oauth2/v2.0/authorize?client_id=<>&response_type=code&scope=<>&redirect_uri=http://localhost:3000/callback
  2. I go to postman and execute this request https://login.microsoftonline.com/{{tenantid}}/oauth2/v2.0/token The body contains some keys and values.
    1. scope
    2. code (I got this on the first url)
    3. client_id
    4. redirect_uri
    5. grant_type: authorization_code
    6. client_secret
  3. the previous request returns a bearer token, then I use that on my request to envoy http://{{apigatewayhost}}/servicea/integrations
    1. On authorization, I chose Bearer Token and added the code
    2. I added the key and value the upstream service needs on the headers.

The issues:

  1. On version 1.22.0, I can do all steps. However, every time I try the request to the envoy on the latest versions, that returns me to the Microsoft login page. It gives the idea that I couldn't do the authorization before.
  2. On version 1.22.0, I am getting unstable behaviour. Sometimes I received a 404 status instead of 200. That's happening because the path is in the wrong format and remove the "/" from the url.

The log from issue 2: 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19 23:51:36.089][15][trace][http] [source/common/http/http1/codec_impl.cc:492] [C2] completed header: key=Location value=https://localhost:44301/api/v1integrations 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19 23:51:36.089][15][trace][http] [source/common/http/http1/codec_impl.cc:1287] [C2] status_code 307 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19 23:51:36.089][15][trace][http] [source/common/http/http1/codec_impl.cc:1297] [C2] Client: onHeadersComplete size=4 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19 23:51:36.089][15][trace][http] [source/common/http/http1/codec_impl.cc:843] [C2] message complete 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19 23:51:36.089][15][trace][http] [source/common/http/http1/codec_impl.cc:1368] [C2] message complete 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19 23:51:36.089][15][debug][http] [source/common/http/conn_manager_impl.cc:1483] [C0][S11257667763600825834] encoding headers via codec (end_stream=true): 2023-01-20 10:21:36 apigateway-apigateway-1 | ':status', '307' 2023-01-20 10:21:36 apigateway-apigateway-1 | 'content-length', '0' 2023-01-20 10:21:36 apigateway-apigateway-1 | 'date', 'Thu, 19 Jan 2023 23:51:35 GMT' 2023-01-20 10:21:36 apigateway-apigateway-1 | 'server', 'envoy' 2023-01-20 10:21:36 apigateway-apigateway-1 ### | 'location', 'https://localhost:44301/api/v1integrations' 2023-01-20 10:21:36 apigateway-apigateway-1 | 'x-envoy-upstream-service-time', '23' 2023-01-20 10:21:36 apigateway-apigateway-1 | 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19T23:51:36.064Z] "GET /api/v1/integrations HTTP/1.1" 307 - 0 0 25 23 "-" "PostmanRuntime/7.30.0" "4fa362a8-992e-478e-a9c5-5864942b7a36" "localhost:3000" "172.18.0.3:80" 2023-01-20 10:21:36 apigateway-apigateway-1 | [2023-01-19 23:51:36.090][15][trace][http] [source/common/http/http1/codec_impl.cc:629] [C2] parsed 162 bytes

Can someone help me to understand what I am doing wrong?

RyanTheOptimist commented 1 year ago

cc: @derekargueta @snowp

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 year ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.

thailakadre commented 1 year ago

I would like help with this problem. Because I can not use new versions with Azure AD

zuercher commented 1 year ago

ping @derekargueta and @snowp as extension owners