search

travisghansen / external-auth-server

easy auth for reverse proxies
MIT License
330 stars 44 forks source link

"bad decrypt" on client connect (envoy/ext_authz <-> eas) #116

Closed nonefaken closed 3 years ago

nonefaken commented 3 years ago

Hello,

im trying to setup oauth based PoC with okta, envoy.filters.http.ext_authz and eas.

On web client connect to envoy proxy EAS server logs following:

docker logs -f eas
info: revoked JTIs: []
info: starting server on port 8080
info: starting verify pipeline
error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt {"stack":"Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n    at Object.decrypt (/home/eas/app/src/utils.js:82:11)\n    at verifyHandler (/home/eas/app/src/server.js:124:46)\n    at /home/eas/app/src/server.js:559:3\n    at Layer.handle [as handle_request] (/home/eas/app/node_modules/express/lib/router/layer.js:95:5)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:137:13)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)"}
(node:19) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.

As i understand it could be due to bad key, but command executed to generate config_token match keys in docker-compose:

EAS_CONFIG_TOKEN_SIGN_SECRET=foo EAS_CONFIG_TOKEN_ENCRYPT_SECRET=bar node bin/generate-config-token.js
encrypted token (for server-side usage): tsUdAn/pNXvl58Uon2IzB....cd1/nAN78tbnz3tw1Zo

URL safe config_token: tsUdAn%2FpNXvl58Uon2IzBS%2FZdb.........bnz3tw1Zo

(node:56130) [DEP0106] DeprecationWarning: crypto.createCipher is deprecated.
(Use `node --trace-deprecation ...` to show where the warning was created)

Node version on device which was used to generate config_token:

node --version
v16.5.0

I tried older node versions, but results in same error, but without depreciated chipher warning.

Any suggestions what i could be doing wrong?

Thank you!

---cut-----------------------------------------

ExtAuthz config:

          http_filters:
          - name: envoy.filters.http.ext_authz
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
              transport_api_version: V3
              http_service:
                authorizationRequest:
                  allowedHeaders:
                    patterns:
                      - exact: cookie
                      - exact: X-Forwarded-Host
                      - exact: X-Forwarded-Method
                      - exact: X-Forwarded-Proto
                      - exact: X-Forwarded-Uri
                  headers_to_add:
                    - key: "x-eas-verify-params"
                      value: '{"config_token":"---deleted---"}'
                pathPrefix: /envoy/verify-params-header
                serverUri:
                  cluster: eas
                  timeout: 2.25s
                  uri: http://eas:8080

EAS server docker-compose:

  eas:
    image: travisghansen/external-auth-server
    container_name: eas
    environment:
      - EAS_CONFIG_TOKEN_SIGN_SECRET="foo"
      - EAS_CONFIG_TOKEN_ENCRYPT_SECRET="bar"
      - EAS_ISSUER_SIGN_SECRET="super secret"
      - EAS_ISSUER_ENCRYPT_SECRET="blah"
      - EAS_COOKIE_SIGN_SECRET="hello world"
      - EAS_COOKIE_ENCRYPT_SECRET="something"
      - EAS_SESSION_ENCRYPT_SECRET="baz"
      - EAS_CONFIG_TOKEN_STORES="{}"
#      - EAS_LOG_LEVEL="info"
      - EAS_PORT=8080
    ports:
      - 8080:8080

generate-config-token.js:

const jwt = require("jsonwebtoken");
const utils = require("../src/utils");

const config_token_sign_secret =
  process.env.EAS_CONFIG_TOKEN_SIGN_SECRET ||
  utils.exit_failure("missing EAS_CONFIG_TOKEN_SIGN_SECRET env variable");
const config_token_encrypt_secret =
  process.env.EAS_CONFIG_TOKEN_ENCRYPT_SECRET ||
  utils.exit_failure("missing EAS_CONFIG_TOKEN_ENCRYPT_SECRET env variable");

let config_token = {
  /**
   * future feature: allow blocking certain token IDs
   */
  //jti: <some known value>

  /**
   * using the same aud for multiple tokens allows sso for all services sharing the aud
   */
  aud: "---deleted---", //should be unique to prevent cookie/session hijacking, defaults to a hash unique to the whole config
  eas: {
    // list of plugin definitions, refer to PLUGINS.md for details
    plugins: [
      {
        type: "oauth2",
        issuer: {
          authorization_endpoint: "---deleted---/v1/authorize",
          token_endpoint: "---deleted---/v1/token"
        },
        client: {
          client_id: "---deleted---",
          client_secret: "---deleted---"
        },
        scopes: ["user"],
        /**
         * static redirect URI
         * if your oauth provider does not support wildcards place the URL configured in the provider (that will return to this proper service) here
         */
        redirect_uri: "https://localhost:10443/oauth/callback",
        features: {
          /**
           * if false cookies will be 'session' cookies
           * if true and cookies expire will expire with tokens
           */
          cookie_expiry: false,

          userinfo_expiry: 86400, // 24 hours

          /**
           * sessions become a floating window *if* tokens are being refreshed or userinfo being refreshed
           */
          session_expiry: 604800, // 7 days

          /**
           * if session_expiry is a number and this is set then sessions become a 'floating window'
           * if activity is triggered in this amount of time *before* preceeding the end of the
           * session then the expiration time is extended + session_expiry
           */
          session_expiry_refresh_window: 86400, // 24 hours

          /**
           * will re-use the same id (ie: same cookie) for a particular client if a session has expired
           */
          session_retain_id: true,

          /**
           * if the access token is expired and a refresh token is available, refresh
           */
          refresh_access_token: true,

          /**
           * fetch userinfo and include as X-Userinfo header to backing service
           */
          fetch_userinfo: true,

          userinfo: {
            provider: "github",
            config: {
              fetch_teams: true,
              fetch_organizations: true,
              fetch_emails: true
            }
          },

          /**
           * which token (if any) to send back to the proxy as the Authorization Bearer value
           * note the proxy must allow the token to be passed to the backend if desired
           *
           * possible values are access_token, or refresh_token
           */
          //authorization_token: "access_token"
        },
        assertions: {
          /**
           * assert the token(s) has not expired
           */
          exp: true
        },
        cookie: {
          name: "_eas_localhost_session_", //default is _oeas_oauth_session
          domain: "localhost_domain" //defaults to request domain, could do sso with more generic domain
          //path: "/",
        }
      }
    ]
  }
};

config_token = jwt.sign(config_token, config_token_sign_secret);
const config_token_encrypted = utils.encrypt(
  config_token_encrypt_secret,
  config_token
);

//console.log("token: %s", config_token);
//console.log("");

console.log("encrypted token (for server-side usage): %s", config_token_encrypted);
console.log("");

console.log(
  "URL safe config_token: %s",
  encodeURIComponent(config_token_encrypted)
);
console.log("");
travisghansen commented 3 years ago

Welcome! We should be able to get you going without too much trouble. Did you put the url safe version in the json by chance?

Maybe set the log level to debug or even silly and send over the logs.

nonefaken commented 3 years ago

Hi!

i tried url safe version as well, but envoy would close with error:

envoy-okta-front                  | [2021-07-16 15:41:21.833][1][critical][main] [source/server/server.cc:114] error initializing configuration '/etc/envoy/envoy-front.yaml': field '2FyjIZMgX3V7' not supported as custom header
envoy-okta-front                  | [2021-07-16 15:41:21.834][1][info][main] [source/server/server.cc:861] exiting
envoy-okta-front                  | field '2FyjIZMgX3V7' not supported as custom header
^CGracefully stopping... (press Ctrl+C again to force)

If i put debug or silly it logs even less:

Recreating eas ... 
Recreating eas ... done
Attaching to eas

eas                               | (node:19) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.

I only get more logging if do not declare EAS_LOG_LEVEL

Also tried image: travisghansen/external-auth-server:v0.10.1

nonefaken commented 3 years ago

one moment. i think something is bad in my docker-compose, so logging does not work, as running just with docker runs debug mode.

nonefaken commented 3 years ago

Attaching silly logs. Just in case i changed SECRETs.

eas                               | debug: cache opts: {"store":"memory","max":0,"ttl":0}

eas                               | info: revoked JTIs: []
eas                               | info: starting server on port 8080

eas                               | silly: verify request details: {"url":"/envoy/verify-params-header/","params":{"0":"/","1":""},"query":{},"http_method":"GET","http_version":"1.1","headers":{"host":"localhost:10443","content-length":"0","x-eas-verify-params":"{\"config_token\":\"OCfdG9hMSImFixIxz2UYxAENlZoqal6tB8l3B2iIFXMVfpmwIpWq3yOtRkAMMWPtXW/yjIZMgX3V7+MvfaYn/JRimQ9soW0jV0tqkTM0IE6d2XXrddmolvW7j6XQis29lUOOTod1u6ZWF5NFBGLONz2B3ozxRd5tovY+VREUybTERFs/6zGnIlFJ2L7tcvNwF84SvOqTdDx4unBMgVrX1D/p/aE89L+rcvMW91TfoVBt/Pr9UGgX8iyERTVC60nDae09kHtBYyBgSxwoeTmwxdr08A4kXvus/ZGY7Lk6/l04+6DUljiKemcvb3ctBm6hUdKqzVqSe9qWJXUu4WnCaOFs/UsxtATOnccHj/nxdzEKeE+SW9TgzKPjsJlyf5mQWwuX+1GOS8HFgrHQbx0f17ZUh+1RXH0prt5mW+NcRle9hebgB3MO1RzOLcLLW0mIbAN5FIWRLcB8IMCcLWA8gBV7duvzcIoOKgdCRo6fFTvtNJz4BhlD05a39UsdENtHWXzioet8p5ofsqkXM1nykdn1VOr+4UqDGO+KslG4SMSgSda70LCFv1Sjvhu/ZK+ZAulTSQnwEGxkOzyyI7Rbm3WUSKGEKgfcoIxLf2RKX8kXRBzww+orI75lk5X23M63utcr8oTkY6pphXawOJTSL6uGTHAhrEx96YJmR4I+RTYtCNHB3fjkx+Ziu/5lZN5fW6gkPEQcdE0TzEaANjTW2xPjA1haVI2oY1m1OF9HeJpra7iPKkndkAW70/3gGb1H9G+34kzlrfyshnevsY9sMvdVfW1Fb1t10MiQ4HuNdg3meJu2Rz1zwa8TzW7CpgXFpV4UDh/c7a67yxafeIOtImbPB1KCHwbehsKttyQZbCnqsvVpbi+gXPBxDf3tQSMNXiB0NGrniYhj3cNeNXieVoGNZIBymQynDmDQEWMerUdYcRt2W/b6vrl4dVe5CtE4OQ4G20r6mTLi/1+EPG4GFdtFn8ZceUp0tHbgeI3NBFgbBcPC2+5YoqPDthwpsZ6Do2dMRaKUd4bayHNM9o/OLRMlBA+MC+5CH/aZ1r4vm4JrasUkwTjypUkjMWOTCrXcz6rvfO4h3Bq5xdLqA0P5N5q/rtCYjm9sVMn/wn0De0KCkqdSp/0fEnadHSEKiYdm8QBJXsyIa11nxdtl04O5NHV03ZuarxQ0aKTOowsgpsy7DmNyb45n7oaQqWHoF88AaQ2B2P0+Xj4o/wDXM8Y7OVqsmaDwshVvZJ4NjfySrh+XQWscdfH/WFcaTBvqxYGgAsMTdzSLKmHL+IIJSPA24KHSbWe8U6hASykuZWeocquREYw5LPWHXTgvH/rBgprkgKichxcYwoK4N5u+6kTEkx6m+mS9INBTcY5UqqPEWlnhahR5FwkbSkg+odED1a18TDjxIVUVJi9qA6ASRQH++i7gIhXyXbIATJiEp0yZeLwLhfOZwQRIXM0amoA+bB6zWnzK6V4DdniWFNkv7IIBdCJ4B9xM7hQO5iIJOQwkEUa94HPX8pkk8x/hUxCpfoIKt1UmMArRyT/Q5elDyjYVb554gqfkApEf8WmnL12bGKtwOzHBbmFzMHt6yNoUSosALuP/OfioXXgzYUqfX52S91my7NtFsbXjXM+K1N/qbz07gzSoInlLLWThEwsg6+QA\"}","x-b3-traceid":"a94aa8fbf2e4239b","x-b3-spanid":"4239687ac54cd982","x-b3-parentspanid":"a94aa8fbf2e4239b","x-b3-sampled":"1","x-envoy-internal":"true","x-forwarded-for":"172.31.0.2","x-envoy-expected-rq-timeout-ms":"2250","x-forwarded-uri":"/","x-forwarded-method":"GET"},"body":{}}
eas                               | info: starting verify pipeline
eas                               | silly: verify params: {"config_token":"OCfdG9hMSImFixIxz2UYxAENlZoqal6tB8l3B2iIFXMVfpmwIpWq3yOtRkAMMWPtXW/yjIZMgX3V7+MvfaYn/JRimQ9soW0jV0tqkTM0IE6d2XXrddmolvW7j6XQis29lUOOTod1u6ZWF5NFBGLONz2B3ozxRd5tovY+VREUybTERFs/6zGnIlFJ2L7tcvNwF84SvOqTdDx4unBMgVrX1D/p/aE89L+rcvMW91TfoVBt/Pr9UGgX8iyERTVC60nDae09kHtBYyBgSxwoeTmwxdr08A4kXvus/ZGY7Lk6/l04+6DUljiKemcvb3ctBm6hUdKqzVqSe9qWJXUu4WnCaOFs/UsxtATOnccHj/nxdzEKeE+SW9TgzKPjsJlyf5mQWwuX+1GOS8HFgrHQbx0f17ZUh+1RXH0prt5mW+NcRle9hebgB3MO1RzOLcLLW0mIbAN5FIWRLcB8IMCcLWA8gBV7duvzcIoOKgdCRo6fFTvtNJz4BhlD05a39UsdENtHWXzioet8p5ofsqkXM1nykdn1VOr+4UqDGO+KslG4SMSgSda70LCFv1Sjvhu/ZK+ZAulTSQnwEGxkOzyyI7Rbm3WUSKGEKgfcoIxLf2RKX8kXRBzww+orI75lk5X23M63utcr8oTkY6pphXawOJTSL6uGTHAhrEx96YJmR4I+RTYtCNHB3fjkx+Ziu/5lZN5fW6gkPEQcdE0TzEaANjTW2xPjA1haVI2oY1m1OF9HeJpra7iPKkndkAW70/3gGb1H9G+34kzlrfyshnevsY9sMvdVfW1Fb1t10MiQ4HuNdg3meJu2Rz1zwa8TzW7CpgXFpV4UDh/c7a67yxafeIOtImbPB1KCHwbehsKttyQZbCnqsvVpbi+gXPBxDf3tQSMNXiB0NGrniYhj3cNeNXieVoGNZIBymQynDmDQEWMerUdYcRt2W/b6vrl4dVe5CtE4OQ4G20r6mTLi/1+EPG4GFdtFn8ZceUp0tHbgeI3NBFgbBcPC2+5YoqPDthwpsZ6Do2dMRaKUd4bayHNM9o/OLRMlBA+MC+5CH/aZ1r4vm4JrasUkwTjypUkjMWOTCrXcz6rvfO4h3Bq5xdLqA0P5N5q/rtCYjm9sVMn/wn0De0KCkqdSp/0fEnadHSEKiYdm8QBJXsyIa11nxdtl04O5NHV03ZuarxQ0aKTOowsgpsy7DmNyb45n7oaQqWHoF88AaQ2B2P0+Xj4o/wDXM8Y7OVqsmaDwshVvZJ4NjfySrh+XQWscdfH/WFcaTBvqxYGgAsMTdzSLKmHL+IIJSPA24KHSbWe8U6hASykuZWeocquREYw5LPWHXTgvH/rBgprkgKichxcYwoK4N5u+6kTEkx6m+mS9INBTcY5UqqPEWlnhahR5FwkbSkg+odED1a18TDjxIVUVJi9qA6ASRQH++i7gIhXyXbIATJiEp0yZeLwLhfOZwQRIXM0amoA+bB6zWnzK6V4DdniWFNkv7IIBdCJ4B9xM7hQO5iIJOQwkEUa94HPX8pkk8x/hUxCpfoIKt1UmMArRyT/Q5elDyjYVb554gqfkApEf8WmnL12bGKtwOzHBbmFzMHt6yNoUSosALuP/OfioXXgzYUqfX52S91my7NtFsbXjXM+K1N/qbz07gzSoInlLLWThEwsg6+QA"}
eas                               | error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt {"stack":"Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n    at Object.decrypt (/home/eas/app/src/utils.js:82:11)\n    at verifyHandler (/home/eas/app/src/server.js:124:46)\n    at /home/eas/app/src/server.js:559:3\n    at Layer.handle [as handle_request] (/home/eas/app/node_modules/express/lib/router/layer.js:95:5)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:137:13)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)"}
eas                               | (node:19) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
travisghansen commented 3 years ago

URL safe version is not what you’d want in the json data. You may even need to further json encode the encrypted token to make it a value json value as well.

nonefaken commented 3 years ago

Affirmative. I just tried URL safe after got error with "encrypted token (for server-side usage)"

nonefaken commented 3 years ago

now i think i did not get it. So should i use URL safe version, but just encode it before putting to envoy config?

travisghansen commented 3 years ago

No the url safe version should not be used. It appears that indeed the config/json is valid. You must have a mismatch of encryption keys. Can you send over the exact command you used to generate the config token?

nonefaken commented 3 years ago

cmd:

EAS_CONFIG_TOKEN_SIGN_SECRET=foo EAS_CONFIG_TOKEN_ENCRYPT_SECRET=bar node bin/generate-config-token.js
encrypted token (for server-side usage): tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDZkpW/B52IJvKUEKwr81l+mR/ILBwOlhiAZHdHkxiV7nUjSCap/R4VzBcrE5FdFpBSWICXYC7KZ0WPiVDKW77hDhkIgwBvmAZtu9hdQdWR0Qsubv/sgziWNmLCdF44KvcCn6dnWcqX3/CMmNEMXyGuCmWsaQEi1BwHvSbfNk0CZ9Uvh79OvQFFMJ0fQEWz+1YDI1WDS/x2pBzilPihK5EvZhixrameeS/tr8gdLG77rZgl/f2g+0xujScnzg/LthkGlWWjeJum9U86Uec4pm8TRmmPRyjjb8Yz3l61HZqYoFdD4Gd8LyBGUZDsJoQj+kA/qvM61H3EVPyBS6E9R8p9V9ALAqWw4Ea4WXzK99ensdphg8wbmBOn3E+8+IfMV7DL/a8eSlvRVM/1Dw3ajck2sYixIw13bsk41OqI4xpykYhllHdCpZXaQGVPIDczCQStWxcv1CU72hDbxA/VWlOxYTf/LDiqEItg3RtaP2ppmLvu8FDKj4OrIsb+0ZeultLIp+J2Pwmvfe6FhshmKZZp6fZ6/paTArDAkUG3Pm/rWTfFb0FkQEP9QO1tjPSh839oVXU3LdXYP9mHP6W86fwnNPeanJeFtLOIo9f+Bjf+p+ztEYs7/cdR9KXEDsX8atGmK+XEmYSFKU7aZU8C2OZ6pVreCGFvEoOtngJwFsTAfLA/pMxiKQhk+CpWTasHkqK+6qKKLG3YRWeQjnBgJDkAfYK4AJqgU1JxFeu5XzSS5xEE06u6Ul2zvz7+rB8e+CIxxeoTuKJwbjtUMUFQAbfP0pu85g1oS1Ov2CBNSywzfLM1pT0e68fSLy4JA1Pf8SmMDcOddrynhinYcrN/+OHUs7wHbVOP5kK0NdF/XzTF0onuIIcjdCbWoSV/TTPyovSKMG0grh6L3nYj31mppgenbmYQT4Vyr4ZnR82xK2dizYRmT8Jc3OdHbbN6iVYFhQ8dJj8seKaxcsdzOfeuSIsJCO1MpwJOFoObrNJtu0wymW+PAhYOlkKmYAvQkWN0bF71fBDoYI4IMA1eOw2AxYFsK6G1DGwi4eraFFsiL8Nwwtgapf0LK9T9CWHn/MuVUYaUMor5d7FyBIoT5KfN08PYt0Ah/+y5m9N8IKMmQliKQntMCiBQfDhvuO2pAInBEI/s5VNn9QR9AXgZsXgBtDfM8Gz41kg/UfvZBg+qbL6W42CZTJmXh+WLWTS7eo1vuQ5dx3SiVqPQ81urBxxvgFYY+yHCl9wMu/p/aOOCIBqnqy9g0lOaRKXld3Lybmp78EyOGkqsnC5+64nYAZCnMTsMoo+8nM6sNs8beisOSrcR/7sMNuhRfMf9f3sCpigsId/7M6xGcqJtf/HykOo5L/9s4wcUkUOKyoLkAp+q2Uibmzfv9kVHyU2uOyjwTpULgSjOaxNV6C7d2fNR1IoTGpHL6VbLaTOtmc8lUcT2rM4o9QMHhF4buHiwMt8MxE9nVhnyI7q0LppH0O3PY05mj83vZHrJfHAORcG4kulwGPpTkTsodX55wkcpoKS8f7iaV6E=

URL safe config_token: tsUdAn%2FpNXvl58Uon2IzBS%2FZdbKZnQzXMlgba9f6ZbDZkpW%2FB52IJvKUEKwr81l%2BmR%2FILBwOlhiAZHdHkxiV7nUjSCap%2FR4VzBcrE5FdFpBSWICXYC7KZ0WPiVDKW77hDhkIgwBvmAZtu9hdQdWR0Qsubv%2FsgziWNmLCdF44KvcCn6dnWcqX3%2FCMmNEMXyGuCmWsaQEi1BwHvSbfNk0CZ9Uvh79OvQFFMJ0fQEWz%2B1YDI1WDS%2Fx2pBzilPihK5EvZhixrameeS%2Ftr8gdLG77rZgl%2Ff2g%2B0xujScnzg%2FLthkGlWWjeJum9U86Uec4pm8TRmmPRyjjb8Yz3l61HZqYoFdD4Gd8LyBGUZDsJoQj%2BkA%2FqvM61H3EVPyBS6E9R8p9V9ALAqWw4Ea4WXzK99ensdphg8wbmBOn3E%2B8%2BIfMV7DL%2Fa8eSlvRVM%2F1Dw3ajck2sYixIw13bsk41OqI4xpykYhllHdCpZXaQGVPIDczCQStWxcv1CU72hDbxA%2FVWlOxYTf%2FLDiqEItg3RtaP2ppmLvu8FDKj4OrIsb%2B0ZeultLIp%2BJ2Pwmvfe6FhshmKZZp6fZ6%2FpaTArDAkUG3Pm%2FrWTfFb0FkQEP9QO1tjPSh839oVXU3LdXYP9mHP6W86fwnNPeanJeFtLOIo9f%2BBjf%2Bp%2BztEYs7%2FcdR9KXEDsX8atGmK%2BXEmYSFKU7aZU8C2OZ6pVreCGFvEoOtngJwFsTAfLA%2FpMxiKQhk%2BCpWTasHkqK%2B6qKKLG3YRWeQjnBgJDkAfYK4AJqgU1JxFeu5XzSS5xEE06u6Ul2zvz7%2BrB8e%2BCIxxeoTuKJwbjtUMUFQAbfP0pu85g1oS1Ov2CBNSywzfLM1pT0e68fSLy4JA1Pf8SmMDcOddrynhinYcrN%2F%2BOHUs7wHbVOP5kK0NdF%2FXzTF0onuIIcjdCbWoSV%2FTTPyovSKMG0grh6L3nYj31mppgenbmYQT4Vyr4ZnR82xK2dizYRmT8Jc3OdHbbN6iVYFhQ8dJj8seKaxcsdzOfeuSIsJCO1MpwJOFoObrNJtu0wymW%2BPAhYOlkKmYAvQkWN0bF71fBDoYI4IMA1eOw2AxYFsK6G1DGwi4eraFFsiL8Nwwtgapf0LK9T9CWHn%2FMuVUYaUMor5d7FyBIoT5KfN08PYt0Ah%2F%2By5m9N8IKMmQliKQntMCiBQfDhvuO2pAInBEI%2Fs5VNn9QR9AXgZsXgBtDfM8Gz41kg%2FUfvZBg%2BqbL6W42CZTJmXh%2BWLWTS7eo1vuQ5dx3SiVqPQ81urBxxvgFYY%2ByHCl9wMu%2Fp%2FaOOCIBqnqy9g0lOaRKXld3Lybmp78EyOGkqsnC5%2B64nYAZCnMTsMoo%2B8nM6sNs8beisOSrcR%2F7sMNuhRfMf9f3sCpigsId%2F7M6xGcqJtf%2FHykOo5L%2F9s4wcUkUOKyoLkAp%2Bq2Uibmzfv9kVHyU2uOyjwTpULgSjOaxNV6C7d2fNR1IoTGpHL6VbLaTOtmc8lUcT2rM4o9QMHhF4buHiwMt8MxE9nVhnyI7q0LppH0O3PY05mj83vZHrJfHAORcG4kulwGPpTkTsodX55wkcpoKS8f7iaV6E%3D

(node:57795) [DEP0106] DeprecationWarning: crypto.createCipher is deprecated.
(Use `node --trace-deprecation ...` to show where the warning was created)

Logs from EAS:

---deleted---as-was-wrong-config---
nonefaken commented 3 years ago

sorry, updated logs from EAS server, as forgot update SECRETS in docker-compose:

eas                               | debug: cache opts: {"store":"memory","max":0,"ttl":0}

eas                               | info: revoked JTIs: []
eas                               | info: starting server on port 8080

eas                               | silly: verify request details: {"url":"/envoy/verify-params-header/","params":{"0":"/","1":""},"query":{},"http_method":"GET","http_version":"1.1","headers":{"host":"localhost:10443","content-length":"0","x-eas-verify-params":"{\"config_token\":\"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDZkpW/B52IJvKUEKwr81l+mR/ILBwOlhiAZHdHkxiV7nUjSCap/R4VzBcrE5FdFpBSWICXYC7KZ0WPiVDKW77hDhkIgwBvmAZtu9hdQdWR0Qsubv/sgziWNmLCdF44KvcCn6dnWcqX3/CMmNEMXyGuCmWsaQEi1BwHvSbfNk0CZ9Uvh79OvQFFMJ0fQEWz+1YDI1WDS/x2pBzilPihK5EvZhixrameeS/tr8gdLG77rZgl/f2g+0xujScnzg/LthkGlWWjeJum9U86Uec4pm8TRmmPRyjjb8Yz3l61HZqYoFdD4Gd8LyBGUZDsJoQj+kA/qvM61H3EVPyBS6E9R8p9V9ALAqWw4Ea4WXzK99ensdphg8wbmBOn3E+8+IfMV7DL/a8eSlvRVM/1Dw3ajck2sYixIw13bsk41OqI4xpykYhllHdCpZXaQGVPIDczCQStWxcv1CU72hDbxA/VWlOxYTf/LDiqEItg3RtaP2ppmLvu8FDKj4OrIsb+0ZeultLIp+J2Pwmvfe6FhshmKZZp6fZ6/paTArDAkUG3Pm/rWTfFb0FkQEP9QO1tjPSh839oVXU3LdXYP9mHP6W86fwnNPeanJeFtLOIo9f+Bjf+p+ztEYs7/cdR9KXEDsX8atGmK+XEmYSFKU7aZU8C2OZ6pVreCGFvEoOtngJwFsTAfLA/pMxiKQhk+CpWTasHkqK+6qKKLG3YRWeQjnBgJDkAfYK4AJqgU1JxFeu5XzSS5xEE06u6Ul2zvz7+rB8e+CIxxeoTuKJwbjtUMUFQAbfP0pu85g1oS1Ov2CBNSywzfLM1pT0e68fSLy4JA1Pf8SmMDcOddrynhinYcrN/+OHUs7wHbVOP5kK0NdF/XzTF0onuIIcjdCbWoSV/TTPyovSKMG0grh6L3nYj31mppgenbmYQT4Vyr4ZnR82xK2dizYRmT8Jc3OdHbbN6iVYFhQ8dJj8seKaxcsdzOfeuSIsJCO1MpwJOFoObrNJtu0wymW+PAhYOlkKmYAvQkWN0bF71fBDoYI4IMA1eOw2AxYFsK6G1DGwi4eraFFsiL8Nwwtgapf0LK9T9CWHn/MuVUYaUMor5d7FyBIoT5KfN08PYt0Ah/+y5m9N8IKMmQliKQntMCiBQfDhvuO2pAInBEI/s5VNn9QR9AXgZsXgBtDfM8Gz41kg/UfvZBg+qbL6W42CZTJmXh+WLWTS7eo1vuQ5dx3SiVqPQ81urBxxvgFYY+yHCl9wMu/p/aOOCIBqnqy9g0lOaRKXld3Lybmp78EyOGkqsnC5+64nYAZCnMTsMoo+8nM6sNs8beisOSrcR/7sMNuhRfMf9f3sCpigsId/7M6xGcqJtf/HykOo5L/9s4wcUkUOKyoLkAp+q2Uibmzfv9kVHyU2uOyjwTpULgSjOaxNV6C7d2fNR1IoTGpHL6VbLaTOtmc8lUcT2rM4o9QMHhF4buHiwMt8MxE9nVhnyI7q0LppH0O3PY05mj83vZHrJfHAORcG4kulwGPpTkTsodX55wkcpoKS8f7iaV6E=\"}","x-b3-traceid":"b5579ff92013656a","x-b3-spanid":"f6b5efe20893a0af","x-b3-parentspanid":"b5579ff92013656a","x-b3-sampled":"1","x-envoy-internal":"true","x-forwarded-for":"172.31.0.2","x-envoy-expected-rq-timeout-ms":"2250","x-forwarded-uri":"/","x-forwarded-method":"GET"},"body":{}}
eas                               | info: starting verify pipeline
eas                               | silly: verify params: {"config_token":"tsUdAn/pNXvl58Uon2IzBS/ZdbKZnQzXMlgba9f6ZbDZkpW/B52IJvKUEKwr81l+mR/ILBwOlhiAZHdHkxiV7nUjSCap/R4VzBcrE5FdFpBSWICXYC7KZ0WPiVDKW77hDhkIgwBvmAZtu9hdQdWR0Qsubv/sgziWNmLCdF44KvcCn6dnWcqX3/CMmNEMXyGuCmWsaQEi1BwHvSbfNk0CZ9Uvh79OvQFFMJ0fQEWz+1YDI1WDS/x2pBzilPihK5EvZhixrameeS/tr8gdLG77rZgl/f2g+0xujScnzg/LthkGlWWjeJum9U86Uec4pm8TRmmPRyjjb8Yz3l61HZqYoFdD4Gd8LyBGUZDsJoQj+kA/qvM61H3EVPyBS6E9R8p9V9ALAqWw4Ea4WXzK99ensdphg8wbmBOn3E+8+IfMV7DL/a8eSlvRVM/1Dw3ajck2sYixIw13bsk41OqI4xpykYhllHdCpZXaQGVPIDczCQStWxcv1CU72hDbxA/VWlOxYTf/LDiqEItg3RtaP2ppmLvu8FDKj4OrIsb+0ZeultLIp+J2Pwmvfe6FhshmKZZp6fZ6/paTArDAkUG3Pm/rWTfFb0FkQEP9QO1tjPSh839oVXU3LdXYP9mHP6W86fwnNPeanJeFtLOIo9f+Bjf+p+ztEYs7/cdR9KXEDsX8atGmK+XEmYSFKU7aZU8C2OZ6pVreCGFvEoOtngJwFsTAfLA/pMxiKQhk+CpWTasHkqK+6qKKLG3YRWeQjnBgJDkAfYK4AJqgU1JxFeu5XzSS5xEE06u6Ul2zvz7+rB8e+CIxxeoTuKJwbjtUMUFQAbfP0pu85g1oS1Ov2CBNSywzfLM1pT0e68fSLy4JA1Pf8SmMDcOddrynhinYcrN/+OHUs7wHbVOP5kK0NdF/XzTF0onuIIcjdCbWoSV/TTPyovSKMG0grh6L3nYj31mppgenbmYQT4Vyr4ZnR82xK2dizYRmT8Jc3OdHbbN6iVYFhQ8dJj8seKaxcsdzOfeuSIsJCO1MpwJOFoObrNJtu0wymW+PAhYOlkKmYAvQkWN0bF71fBDoYI4IMA1eOw2AxYFsK6G1DGwi4eraFFsiL8Nwwtgapf0LK9T9CWHn/MuVUYaUMor5d7FyBIoT5KfN08PYt0Ah/+y5m9N8IKMmQliKQntMCiBQfDhvuO2pAInBEI/s5VNn9QR9AXgZsXgBtDfM8Gz41kg/UfvZBg+qbL6W42CZTJmXh+WLWTS7eo1vuQ5dx3SiVqPQ81urBxxvgFYY+yHCl9wMu/p/aOOCIBqnqy9g0lOaRKXld3Lybmp78EyOGkqsnC5+64nYAZCnMTsMoo+8nM6sNs8beisOSrcR/7sMNuhRfMf9f3sCpigsId/7M6xGcqJtf/HykOo5L/9s4wcUkUOKyoLkAp+q2Uibmzfv9kVHyU2uOyjwTpULgSjOaxNV6C7d2fNR1IoTGpHL6VbLaTOtmc8lUcT2rM4o9QMHhF4buHiwMt8MxE9nVhnyI7q0LppH0O3PY05mj83vZHrJfHAORcG4kulwGPpTkTsodX55wkcpoKS8f7iaV6E="}
eas                               | error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt {"stack":"Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n    at Object.decrypt (/home/eas/app/src/utils.js:82:11)\n    at verifyHandler (/home/eas/app/src/server.js:124:46)\n    at /home/eas/app/src/server.js:559:3\n    at Layer.handle [as handle_request] (/home/eas/app/node_modules/express/lib/router/layer.js:95:5)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:137:13)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n    at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)"}
eas                               | (node:19) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
nonefaken commented 3 years ago

I think i figured it out. In docker-compose SECRET parameters were double quoted:\

  eas:
    image: travisghansen/external-auth-server:v0.10.2
    container_name: eas
    environment:
      - EAS_CONFIG_TOKEN_SIGN_SECRET="foo"
      - EAS_CONFIG_TOKEN_ENCRYPT_SECRET="bar"

Removed double quotes and can test futher. Sorry for your time. Its totally my bad.

Unquoted SECRETs in docker-compose config work:

  eas:
    image: travisghansen/external-auth-server:v0.10.2
    container_name: eas
    environment:
      - EAS_CONFIG_TOKEN_SIGN_SECRET=foo
      - EAS_CONFIG_TOKEN_ENCRYPT_SECRET=bar
nonefaken commented 3 years ago

Great software project by the way! Thank you!

travisghansen commented 3 years ago

Awesome! Glad it's working. As an FYI I have a WIP to support the grpc interface with envoy instead of the http-style. I've been patiently waiting for a bug fix in node to come through but the outlook doesn't appear good so I'll just commit with the work-around I have in the next week or so.