dynamicMetadataFromClaims in oauth2 accesstokenvalidation does not work
huzlak opened this issue · comments
Gloo Edge Product
Enterprise
Gloo Edge Version
v1.16.4
Kubernetes Version
v1.24.0
Describe the bug
When I try to use dynamicMetadataFromClaims in oauth2 accesstokenValidation authconfig, no claim is added to the metadata.
Expected Behavior
I expect the claim to be added to dynamic metadata under envoy.filters.http.ext_authz
namespace and the key defined in the authconfig.
Steps to reproduce the bug
Example authconfig:
spec:
configs:
- oauth2:
accessTokenValidation:
dynamicMetadataFromClaims:
email: email
jwt:
remoteJwks:
url: http://172.18.9.2:8080/auth/realms/master/protocol/openid-connect/certs
Example of my decoded jwt token with email claim:
{
"exp": 1711528446,
"iat": 1711528386,
"auth_time": 1711528046,
"jti": "8ee74a85-5d90-42f1-ae18-9dc338dd7bde",
"iss": "http://172.18.9.2:8080/auth/realms/master",
"aud": "account",
"sub": "c7ac8f49-4c34-42ae-8128-42ba3dfc201c",
"typ": "Bearer",
"azp": "cb983b9d-152f-4207-bf09-6c0307aa2788",
"session_state": "a431da14-881c-4211-a574-b840ce72bdd7",
"acr": "0",
"realm_access": {
"roles": [
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"email_verified": false,
"preferred_username": "user1",
"subscription": "enterprise",
"email": "user1@acme.com",
"group": "users"
}
When I do a request through virtualservice protected with this authconfig, no metadata is logged in accesslogs. Also ext-auth-service debug log only shows default metadata with userId and no email claim is added. Example extauth log:
{"level":"debug","ts":"2024-03-27T16:14:39Z","logger":"ext-auth.ext-auth-service","msg":"Received auth request","version":"undefined","x-request-id":"4a84ed45-7d15-4c6a-ac04-651b9102713e","request":{"attributes":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.109.0.1","PortSpecifier":{"PortValue":18472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.109.0.14","PortSpecifier":{"PortValue":8443}}}},"principal":"CN=petstore.example.com"},"context_extensions":{"config_id":"gloo-system.accesstoken","source_name":"gloo-system.gateway-proxy-listener-::-8443-gloo-system_vs2","source_type":"virtual_host"},"request":{"time":"2024-03-27T16:14:39Z","http":{"body":"","host":"httpbin.test2","fragment":"","method":"GET","path":"/get","scheme":"https","size":0,"query":"","protocol":"HTTP/2","id":"12868505326190030664","headers":{"x-request-id":"4a84ed45-7d15-4c6a-ac04-651b9102713e",":path":"/get",":authority":"httpbin.test2",":method":"GET","x-forwarded-proto":"https","authorization":"[redacted]","user-agent":"curl/7.81.0","accept":"*/*",":scheme":"https"}}}}}}
{"level":"debug","ts":"2024-03-27T16:14:39Z","logger":"ext-auth.ext-auth-service","msg":"dynamic metadata on response","version":"undefined","x-request-id":"4a84ed45-7d15-4c6a-ac04-651b9102713e","metadata":"fields:{key:\"userId\" value:{string_value:\"c9d446aa-4a48-4c43-aafb-47edb8695e01\"}}"}
Additional Environment Detail
No response
Additional Context
No response
This feature is important for Gloo Gateway portal. We'll encourage customers to use oauth2 tokens for API authentication and this feature is important to allow them to add information in the access logs about who's using the API and monetize their APIs based on that.