search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.52k stars 904 forks source link

JWKS in Forward Proxy Application is empty #6008

Open scolastico opened 1 year ago

scolastico commented 1 year ago

Describe the bug Im wondering why my JWKS is empty. I have setup a forward auth proxy with traefik, and if i request to

https://my-server/application/o/my-app/.well-known/openid-configuration

I get this response:

//[...]
    "form_post"
  ],
  "jwks_uri": "https://my-server/application/o/my-app/jwks/",
  "grant_types_supported": [
    "authorization_code",
//[...]

But if i try to access that jwks endpoint i get {} as a response.

To Reproduce Steps to reproduce the behavior:

  1. Follow this https://goauthentik.io/docs/providers/proxy/server_traefik
  2. Then create a normal forward auth app.

Expected behavior The JWKS should not look like that.

Version and Deployment (please complete the following information):

Logs image

Additional context I already read something about that here https://github.com/goauthentik/authentik/issues/3909 which is closed and marked as fixed with this merge https://github.com/goauthentik/authentik/pull/4480, but whats wondering me is that the changes made theyr are not any more in the file:

Here created: https://github.com/goauthentik/authentik/blob/c11367553e07e2762c0b4f9c5838119b9ecce96a/internal/outpost/proxyv2/application/endpoint.go

Here removed: https://github.com/goauthentik/authentik/blob/ef028af7d1876f3daa559d5ffe6919438c387632/internal/outpost/proxyv2/application/endpoint.go

But im not even sure if this originally fixed the issue as after downgrading to 2023.4.1 the issue also exists.

Edit: I checked now also 2023.1.0 with a complete fresh installation and the issue exists also there.

BeryJu commented 1 year ago

The root cause for this is described in #3909

The proxy outpost used to use an RSA key to sign the JWTs, but that was changed a while ago since authentik currently doesn't have a way to seamlessly rotate certificates, so when the JWT certificate would expire, it would cause issues

Hence the current JWT is signed via HS256

In the future we'll add a way to have certificate successors to allow this certificate change more seamlessly, and then the providers JWTs will be signed with RS256 again

scolastico commented 1 year ago

I wholeheartedly concur that the implementation of the proposed feature or the rectification of the identified bug is of critical importance. Implementing a mechanism that allows us to cross-verify the JSON Web Token (JWT) from the x-authentik-jwt header against a JSON Web Key Set (JWKS) could significantly enhance the security of our system. This would allow us to establish a true zero-trust environment, which is vital in modern cyber-security landscape.

Expanding on why this is crucial, let's understand the potential issues of solely relying on middlewares:

Middlewares serve as intermediaries between the application and the network, responsible for processing requests and responses. While they can handle a significant portion of security requirements, including the initial authentication checks, their default behavior does not guarantee total security.

Firstly, middlewares can be a target for attackers. If they manage to exploit a vulnerability in the middleware, they could bypass security controls and gain access to sensitive data or systems. This is especially concerning in complex systems where updates and security patches for middlewares might not be as frequent or thorough as needed.

Secondly, just trusting the middleware could lead to single-point failures. If the middleware crashes or becomes unavailable, it could lead to loss of service or data breaches. This is where a zero-trust model is especially beneficial.

Implementing JWT validation against a JWKS, as i've suggested, adds an additional layer of security. JWKS are collections of cryptographic keys that contain key-value pairs representing a public key that should be used to verify incoming JWTs. By cross-verifying the JWT against a JWKS, we create a decentralized trust mechanism. This minimizes the reliance on middlewares and creates multiple points of validation, reducing the chances of unauthorized access and data breaches.

Overall, it's not about completely eliminating trust in middlewares, but rather distributing trust across several security measures to enhance the resilience and integrity of our system.

authentik-automation[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.