Giters

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy

Home Page:https://docs.solo.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

dynamicMetadataFromClaims in oauth2 accesstokenvalidation does not work

huzlak opened this issue · comments

commented

Gloo Edge Product

Enterprise

Gloo Edge Version

v1.16.4

Kubernetes Version

v1.24.0

Describe the bug

When I try to use dynamicMetadataFromClaims in oauth2 accesstokenValidation authconfig, no claim is added to the metadata.

Expected Behavior

I expect the claim to be added to dynamic metadata under envoy.filters.http.ext_authz namespace and the key defined in the authconfig.

Steps to reproduce the bug

Example authconfig:

spec:
  configs:
  - oauth2:
      accessTokenValidation:
        dynamicMetadataFromClaims:
          email: email
        jwt:
          remoteJwks:
            url: http://172.18.9.2:8080/auth/realms/master/protocol/openid-connect/certs

Example of my decoded jwt token with email claim:

{
  "exp": 1711528446,
  "iat": 1711528386,
  "auth_time": 1711528046,
  "jti": "8ee74a85-5d90-42f1-ae18-9dc338dd7bde",
  "iss": "http://172.18.9.2:8080/auth/realms/master",
  "aud": "account",
  "sub": "c7ac8f49-4c34-42ae-8128-42ba3dfc201c",
  "typ": "Bearer",
  "azp": "cb983b9d-152f-4207-bf09-6c0307aa2788",
  "session_state": "a431da14-881c-4211-a574-b840ce72bdd7",
  "acr": "0",
  "realm_access": {
    "roles": [
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile",
  "email_verified": false,
  "preferred_username": "user1",
  "subscription": "enterprise",
  "email": "user1@acme.com",
  "group": "users"
}

When I do a request through virtualservice protected with this authconfig, no metadata is logged in accesslogs. Also ext-auth-service debug log only shows default metadata with userId and no email claim is added. Example extauth log:

{"level":"debug","ts":"2024-03-27T16:14:39Z","logger":"ext-auth.ext-auth-service","msg":"Received auth request","version":"undefined","x-request-id":"4a84ed45-7d15-4c6a-ac04-651b9102713e","request":{"attributes":{"source":{"address":{"Address":{"SocketAddress":{"address":"10.109.0.1","PortSpecifier":{"PortValue":18472}}}}},"destination":{"address":{"Address":{"SocketAddress":{"address":"10.109.0.14","PortSpecifier":{"PortValue":8443}}}},"principal":"CN=petstore.example.com"},"context_extensions":{"config_id":"gloo-system.accesstoken","source_name":"gloo-system.gateway-proxy-listener-::-8443-gloo-system_vs2","source_type":"virtual_host"},"request":{"time":"2024-03-27T16:14:39Z","http":{"body":"","host":"httpbin.test2","fragment":"","method":"GET","path":"/get","scheme":"https","size":0,"query":"","protocol":"HTTP/2","id":"12868505326190030664","headers":{"x-request-id":"4a84ed45-7d15-4c6a-ac04-651b9102713e",":path":"/get",":authority":"httpbin.test2",":method":"GET","x-forwarded-proto":"https","authorization":"[redacted]","user-agent":"curl/7.81.0","accept":"*/*",":scheme":"https"}}}}}}
{"level":"debug","ts":"2024-03-27T16:14:39Z","logger":"ext-auth.ext-auth-service","msg":"dynamic metadata on response","version":"undefined","x-request-id":"4a84ed45-7d15-4c6a-ac04-651b9102713e","metadata":"fields:{key:\"userId\"  value:{string_value:\"c9d446aa-4a48-4c43-aafb-47edb8695e01\"}}"}

Additional Environment Detail

No response

Additional Context

No response

commented

This feature is important for Gloo Gateway portal. We'll encourage customers to use oauth2 tokens for API authentication and this feature is important to allow them to add information in the access logs about who's using the API and monetize their APIs based on that.