search

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.63k stars 352 forks source link

Jwks async fetching failed. #4577

Open beckliln opened 2 weeks ago

beckliln commented 2 weeks ago

Description: I encountered an issue while using the JWKS URI from the security policy to verify the public key of a user's token. The JWKS information provided by the issuer has the "n" field of the public key separated by "/", which is inconsistent with the "-" used in the example. The proxy error message is "Jwks async fetching url=xxxxx/keys/: failed." Is there any way to resolve this?

Repro steps:

Note: If there are privacy concerns, sanitize the data prior to sharing.

Environment: gaetway 1.1.2

Logs: Jwks async fetching url=xxxxx/keys/: failed.

zhaohuabing commented 2 weeks ago

@beckliln To better understand what happend, can you also past the SecurityPolicy and the JWKS in this issue? Sensitive data can be sanitized.

beckliln commented 2 weeks ago

SecurityPolicy config is :


kind: SecurityPolicy
metadata:
  name: jwt-example
  namespace: test
spec:
  jwt:
    providers:
      - extractFrom:
          headers:
            - name: jwtauth
              valuePrefix: Bearer
        name: example
        remoteJWKS:
          uri: http://jwks.apps.k8s01.com/keys1
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: test101303

and jwks like【field "n" and "field" has sanitized】:
you can see some "/" in field n
{
    "keys": [
        {
            "e": "AQAB",
            "issuer": "https://test.com/oauth2/oidc/discovery",
            "kid": "HlRdte1koCCCgF_X_dujy8aT9ndDsWqN6JpRCCSSnko",
            "kty": "RSA",
            "n": "xcfHS86PAyhYvDSXXSASDDSDSAAb7znRvnGUgjutU7Jx5UyAy7wWpTjfjh/ktD1nNOVn6iacuhWW3YSBpA3oZL1nQzXQFKNCOK5qwCrefl/E/nhKts2YdDSDSAAYAKYQ+RDeUBjhtct5xpL0Dw7xtoqZJM6nGqntK7IZYWhedqKDSDSDSAnwxhmT7yHSK+JYGl2OOZkk5hghZTvtzetEb2dT7RMGx3dPpnY2w9PMHXWznwGaJSCcAJDSDSDX0OK6iNV/PVq6Jz/ZjaRcZ+qVui+j70uWQsEMDljEIZJ++Yh4VoY0YDSDSDSN5WuVWw==",
            "use": "sig",
            "x5c": [               "1y3nG4rqI1X89WronP9mNpFxn6pW6L6PvS5ZCwQwOWMQhkn75iHhWhjRgYx03la5VbAgMBAAGjQjBAMB0GA1UdDgQWBBSoMKMHLnzou3akJpXqv3KsV3xeeTAfBgNVHSMEGDAWgBSoMKMHLnzou3akJpXqv3KsV3xeeTANBgkqhkiG9w0BAQsFAAOCAQEAGH0bjbny74vbTSh5H01qxvbmLMaKeRTS6z1c0FEK4FS41jz3IdYlcOOzt9x8+3HnX+WSFMMW/GneBP6TTII2zJKgrihkARM4Ntq7Lyi0Yv+QZTWrHSv8FomfplFqljJzl8qYrYzlTWKDIDICjWXBbaJcQrtUpzbbn+GSPyiijpvBx2D+u36IIgJINOYwq/Afu3A6z0iaSpbmSqi/ezFakopCEfCl8IZqEnhtJy9eduj1ZUaJZMMcjSGfGRe744nPLpRfsEz+Djgw1F5Osb0JqVk2DNfR8GyKq0+69rpgb73aOtFCNby/8hcMV+FbSI4hdSwwpkpl2JrFW7uUXpXJMg=="
            ],
            "x5t": "HlRdte1koCCCgF_X_dujy8aT9ndDsWqN6JpRCCSSnko"
        }
    ]
}