Authorization (RBAC) is broken in CORS Preflight Requests requests with JWT tokens

sschepens commented 1 year ago

Is this the right place to submit this?

[X] This is not a security vulnerability or a crashing bug
[X] This is not a question about how to use Istio

Bug Description

One cannot correctly Authorize CORS Preflight Requests when using JWT Tokens.

This happens because Istio is currently enabling bypass_cors_preflight as per this issue.

The problem is that bypass_cors_preflight skips all of the processing done by jwt_authn filter an so does not provide metadata information for RBAC to use.

In our case we have our traffic using JWT tokens and we need to authorize requests with information in those tokens and we cannot do so for Preflight Requests because they contain no information, so we end up rejecting those requests. We could of course allow all Preflight Requests without authentication info but that is less than ideal.

We also cannot disable bypass_cors_preflight with an EnvoyFilter, my theory is that this is because it's a protobuf native boolean field it's default value is false, so when we attempt to set that, Istio only sees an empty proto (it cannot distinguish if it's been explicitly set to false).

My question is why do we need to enable this flag and why don't we instead put CORS filter before JWT since that was what was originally requested.

@howardjohn @yangminzhu

EDIT: clarification, we're not using VirtualService CorsPolicy, instead, currently, CORS is being handled directly by our applications

Version

1.17

Additional Information

No response

Affected product area

[ ] Ambient
[ ] Docs
[ ] Installation
[X] Networking
[ ] Performance and Scalability
[X] Extensions and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
[ ] Upgrade
[ ] Multi Cluster
[ ] Virtual Machine
[ ] Control Plane Revisions

naimadswdn commented 1 year ago

We are suffering exactly the same issue (even CORS handled by our backend, not VirtualService). I am using 1.18.0 version of Istio.

To make it works, I had to add additional rule to the AuthorizationPolicy:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: validate-jwt
  namespace: istio-system
spec:
  action: ALLOW
  selector:
    matchLabels:
      istio: ingress
  rules:
...
  # Disable JWT validation for preflight requests
  - to:
    - operation:
        hosts:
        - MY_HOST
        methods:
        - OPTIONS
...

The rule is disabling JWT validation for all OPTIONS requests, which is not ideal.

Can we change the order of the http filters as requested by the author?

kyessenov commented 1 year ago

cc @kyessenov

istio-policy-bot commented 11 months ago

🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2023-08-14. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions.

Created by the issue and PR lifecycle manager.

tilgovi commented 11 months ago

@kyessenov should we keep this open or is #47551 enough?

eduardobaitello commented 5 months ago

Any chances to get this issue reopened?

istio / istio