search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

JWT token validation fail #96

Closed anannaya closed 4 years ago

anannaya commented 4 years ago

I have added the sidecar at istio ingress layer.. authservice container is running fine. Added the envoyfilter at the GATEWAY . Could you please help in rectifying the issue?

 logs  -n istio-system istio-ingressgateway-75cffcbc68-qlkkk -c authservice -f | head
[2020-05-14 07:34:18.107] [console] [info] Run: Server listening on 127.0.0.1:10003
[2020-05-14 07:34:18.107] [console] [trace] Creating processor state
[2020-05-14 07:35:18.107] [console] [info] operator(): Starting periodic cleanup (period of 60 seconds)
[2020-05-14 07:36:18.107] [console] [info] operator(): Starting periodic cleanup (period of 60 seconds)
cfryanr commented 4 years ago

Happy to help at istio.slack.com. See https://github.com/istio-ecosystem/authservice#contributing--contact for how to reach us there.

Since this isn't a bug or enhancement request, closing this github issue and moving the conversation to Slack.

anannaya commented 4 years ago

@cfryanr Kind of struck after authorisation. Error from authservice app

[2020-05-18 11:37:11.200] [console] [debug] Check: processing request https://grafana-k8s.anand.test.thunderhead.io/ with filter chain idp_filter_chain
[2020-05-18 11:37:11.201] [console] [debug] Call from @10.99.173.218 to CN=*.anand.test.thunderhead.io,O=anand.test Inc.@10.99.151.164
[2020-05-18 11:37:11.201] [console] [info] Process: Required tokens are not present. Sending user to re-authenticate.
[2020-05-18 11:37:13.170] [console] [debug] Check: processing request https://grafana-k8s.anand.test.thunderhead.io/login/generic_oauth?code=_31yCGWWl7zrYwqpQLRun6ScJRD5PfmWVS8AAADK&state=5l7T1TQLaP3C-eExPhxFp2Q_YZzyED_FGSgfDX0DIVk with filter chain idp_filter_chain
[2020-05-18 11:37:13.171] [console] [debug] Call from @10.99.173.218 to CN=*.anand.test.thunderhead.io,O=anand.test Inc.@10.99.151.164
[2020-05-18 11:37:13.171] [console] [info] Post: opening connection to cloudsso.cisco.com:443
[2020-05-18 11:37:13.756] [console] [info] IsIDTokenInvalid: `id_token` verification failed: Jwks doesn't have key to match kid or alg from Jwt
[2020-05-18 11:37:13.756] [console] [info] RetrieveToken: Invalid token response
[2020-05-18 11:37:14.460] [console] [debug] Check: processing request https://grafana-k8s.anand.test.thunderhead.io/favicon.ico with filter chain idp_filter_chain

Error from istio proxy trace

[Envoy (Epoch 0)] [2020-05-18 12:18:04.477][18][trace][connection] [external/envoy/source/common/network/raw_buffer_socket.cc:38] [C1] read error: Resource temporarily unavailable
[Envoy (Epoch 0)] [2020-05-18 12:18:04.477][18][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:409] [C1] parsing 107 bytes
[Envoy (Epoch 0)] [2020-05-18 12:18:04.477][18][trace][http] [external/envoy/source/common/http/http1/codec_impl.cc:561] [C1] message begin