jwt verification skipped

[jayrlowe]

I have an AWS NLB with SSL offloading which sends that traffic to port 8080. The request flows through fine, but the JWT verification is not working. I would expect a 401, but get a 200 returned from the backend service.

I deployed contour onto EKS with the helm chart - v19.3.1

I would expect it to ask for a token with this request:

kubectl exec -it -n default curl-test -- curl -v \   
  https://<redacted>/

This is my HTTPProxy.

apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
  name: test-jwt-proxy
  namespace: default
spec:
  virtualhost:
    fqdn: <redacted>
    tls:
      secretName: test-jwt-tls-secret
    jwtProviders:
      - name: cognito
        default: true
        issuer: https://cognito-idp.<redacted>.amazonaws.com/<redacted>
        remoteJWKS:
          uri: https://cognito-idp.<redacted>.amazonaws.com/<redacted>/.well-known/jwks.json
        forwardJWT: true
  routes:
    - conditions:
      - prefix: /
      jwtVerificationPolicy:
        require: cognito
        disabled: false
      services:
        - name: test-jwt
          port: 80
      permitInsecure: true

[github-actions[bot]]

Hey @jayrlowe! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[jayrlowe]

After reviewing the code, it looks like JWT verification won't work unless envoy terminates the TLS connection. I verified this was the case by setting up my NLB as a passthrough. So I guess this is more of a feature request now. Given that terminating TLS at a load balancer is a very common pattern, it would be nice to be able to use JWT verification without forcing TLS in the HTTPProxy.