Google OIDC Authentication stop to work in 1.2.0.rc1

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway

https://gateway.envoyproxy.io

Apache License 2.0

1.63k stars 352 forks source link

Google OIDC Authentication stop to work in 1.2.0.rc1 #4625

Open MarynaIshchenko opened 1 week ago

MarynaIshchenko commented 1 week ago

Description: After upgrading to version 1.2.0.rc1 authentification with Securitypolicy stop to work with error: "OAuth flow failed" and logs "response_code_details":"oauth.missing_credentials".

Config:

apiVersion: gateway.envoyproxy.io/v1alpha1 kind: SecurityPolicy metadata: name: example-oidc namespace: example spec: oidc: clientID: XXXX.apps.googleusercontent.com clientSecret: group: "" kind: Secret name: google-oauth-oidc logoutPath: /logout provider: issuer: https://accounts.google.com redirectURL: https://example.com/oauth2 targetRef: group: gateway.networking.k8s.io kind: HTTPRoute name: example-ui

Perhaps it's connected with NONCE implementation, because previously: state: http://example.com/

and now:

state: url=http%3A%2F%2Fexample.com%2F&nonce=1730721470322991

BTW, example doesn't reflect any change in configuration for new version.

arkodg commented 1 week ago

cc @zhaohuabing

zhaohuabing commented 1 week ago

I can't reproduce this issue. The OIDC authn with Google provider in version 1.2.0.rc1 works fine in my dev machine.

BTW, example doesn't reflect any change in configuration for new version.

Nonce support in the Envoy OAuth2 filter is transparent to both the EG and the OIDC provider, so no changes in the docs.

jmullo commented 1 week ago

Nonce is transparent only if the OIDC provider behaves as expected: https://github.com/envoyproxy/envoy/issues/36871

zhaohuabing commented 1 week ago

Nonce is transparent only if the OIDC provider behaves as expected: envoyproxy/envoy#36871

nonce is supposed to be transparent to the OIDC provider, I didn't realize that some OIDC providers would inspect the state parameter and remove the nonce outside of it.

The Google OIDC Authentication doesn't do that according to my testing.

zhaohuabing commented 1 week ago

Raised a PR to opt nonce out in Envoy. We shouldn't have this issue with the Google OIDC. Could you please help verify this? @MarynaIshchenko

jaynis commented 2 days ago

I am experiencing a very similar issue which I have described in #4718 and which could be related. My issue happens quite randomly and only after some time (everything works fine in the beginning). This could also be the reason why you cant easily reproduce this @zhaohuabing (if it is related at all).

@MarynaIshchenko have you tried to enable debug logging in envoy and/or doing a fresh envoy gateway installation with a minimal configuration?