external-auth-server: /envoy/verify-params-header can cause infinite auth loop
Thanks for this project! It’s super useful.
We got really stuck for a little while in an infinite auth loop when trying to use this from an envoy ext_authz filter (similar to your examples: istio example, https://github.com/travisghansen/external-auth-server/issues/23#issuecomment-522617850 ).
The ultimate fix ended up being to set pathPrefix to /envoy/verify-params-header/anythingherewillwork. That makes it correctly match the express route: https://github.com/travisghansen/external-auth-server/blob/154218a725e716642af0607eb47597d40b1c2737/src/server.js#L425 (in fact, in hindsight even just an extra / on the path will work)
I’m not sure what made those previous examples work with just /envoy/verify-params-header, maybe something automatically appended to the paths?
I think a good change to make this easier to use, would be to update the route to just /envoy/verify-params-header, but I’m not sure if that’s how you intended it to be used.
Here’s the full filter we ended up with, in case it’s useful:
http_filters:
- name: envoy.ext_authz
config:
failure_mode_allow: false
http_service:
path_prefix: /envoy/verify-params-header/anythingherewillwork
authorization_request:
allowed_headers:
patterns:
- exact: cookie
- exact: X-Forwarded-Host
- exact: X-Forwarded-Method
- exact: X-Forwarded-Proto
- exact: X-Forwarded-Uri
headers_to_add:
- key: "x-eas-verify-params"
value: '{"config_token_store_id": "env_token_store", "config_token_id": "token_id_1"}'
server_uri:
uri: http://external-auth-server.internal-service.svc.cluster.local
cluster: ext-authz
timeout: 10s
status_on_error:
code: Forbidden
with_request_body:
allow_partial_message: true
max_request_bytes: 4096
- name: envoy.router
typed_config: {}
This works excellent for us with OIDC and GCP Identity Platform! 🎉
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 25 (22 by maintainers)
Just released
v0.6.0, closing.