Istio Envoy OAuth2 Filter Configuration

Questions OAuth/OIDC
1

Hello, I am trying to configure an Istio EnvoyFilter with the oAuth2 filter. Unfortunately fails the flow with the error: “Jwks doesn’t have key to match kid or alg from Jwt”.

Here is the config:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: snoauth-test
  namespace: test
spec:
  selector:
    matchLabels:
      app: snoauth-test
  jwtRules:
    - issuer: "https://myorg.oktapreview.com"
      jwksUri: "https://myorg.oktapreview.com/oauth2/v1/keys"

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: snoauth-test
  namespace: test
spec:
  selector:
    matchLabels:
      app: snoauth-test
  action: DENY
  rules:
    - from:
        - source:
            notRequestPrincipals: ["*"]

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: myoauth-test
  namespace: test
spec:
  workloadSelector:
    labels:
      app: snoauth-test
  configPatches:
    - applyTo: CLUSTER
      match:
        cluster:
          service: oauth
      patch:
        operation: ADD
        value:
          name: oauth
          connect_timeout: 2s
          type: LOGICAL_DNS
          lb_policy: ROUND_ROBIN
          load_assignment:
            cluster_name: oauth
            endpoints:
              - lb_endpoints:
                  - endpoint:
                      address:
                        socket_address:
                          address: myorg.oktapreview.com
                          port_value: 443
          transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
              sni: myorg.oktapreview.com
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.filters.network.http_connection_manager"
              subFilter:
                name: "envoy.filters.http.jwt_authn"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.oauth2
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
            config:
              token_endpoint:
                cluster: oauth
                uri: "https://myorg.oktapreview.com/oauth2/v1/token"
                timeout: 5s
              authorization_endpoint: "https://myorg.oktapreview.com/oauth2/v1/authorize"
              redirect_uri: "https://snoauth-test.apps.k8s-dev.myorg.io/callback"
              redirect_path_matcher:
                path:
                  exact: /callback
              signout_path:
                path:
                  exact: /signout
              forward_bearer_token: true
              auth_scopes:
                - openid
                - profile
              credentials:
                client_id: xxx
                token_secret:
                  name: token
                  sds_config:
                    path: "/etc/istio/config/token-secret.yaml"
                hmac_secret:
                  name: hmac
                  sds_config:
                    path: "/etc/istio/config/hmac-secret.yaml"

It seems I can login and get an id and access token, but then the jwt verification fails. Looking at the access token:

{
  "alg": "RS256"
  "kid": "SAVWRVwZbyO-NvGhH8YfW9XAiKxDxzums4Qn8wBLOUw",
}
{
  "aud": "https://myorg.oktapreview.com",
  "cid": "xxx",
  "exp": 1651828516,
  "iat": 1651824916,
  "iss": "https://myorg.oktapreview.com",
  "jti": "xxx",
  "sub": "user@myorg.com",
  "uid": "xxx",
  "ver": 1,
  "scp": [
    "openid"
  ],
  "auth_time": 1651824914
}

the kid from the access token is not in configured jwksUri: https://myorg.oktapreview.com/oauth2/v1/keys

Any idea whats wrong here?

2

Hello,

The issue sounds like it is being caused by the fact that Okta does not publish the public key part to the private key used to sign the access token from the Org Authorization Server, which is what is being used.
https://myorg.oktapreview.com

In Okta the public key needed verify the signature of an access token minted by a custom authorization is available from the /keys endpoint, but not for the Org authorization server, see here.

You will either need to use a custom authorization server, or have your application verify the access token from the Org authorization server using the /introspect endpoint.

3 Likes
3

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.