fix(translator): make OIDC and JWT authentication work together #5142
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
StephenRobin
force-pushed
the
oidc-and-jwt
branch
from
a834e4d to
728e187
Compare
Currently, when both OIDC and JWT authentication mechanisms are configured in the same SecurityPolicy, the OIDC is applied first. It ensures the presence of the bearer and refresh tokens in cookies, and adds the Authorisation header to the request. Then JWT is applied, validating the added header. This setup works perfectly for browser requests. However, it blocks requests from clients that provide a valid "Authorization: Bearer..." header (normally non-browser clients). The OIDC mechanism kicks in first and redirects the requests to the login pages because of the missing cookies. Use Envoy Gateway's pass_through_matcher option to skip over the OIDC filter when the request is going to be handled by the JWT filter later. Signed-off-by: Stephen Robin <[email protected]>
StephenRobin
force-pushed
the
oidc-and-jwt
branch
from
728e187 to
d12b2f2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
What this PR does / why we need it:
Currently, when both OIDC and JWT authentication mechanisms are configured in the same SecurityPolicy, the OIDC is applied first. It ensures the presence of the bearer and refresh tokens in cookies, and adds the Authorisation header to the request. Then JWT is applied, validating the added header.
This setup works perfectly for browser requests. However, it blocks requests from clients that provide a valid "Authorization: Bearer..." header (normally non-browser clients). The OIDC mechanism kicks in first and redirects the requests to the login pages because of the missing cookies.
Use Envoy Gateway's pass_through_matcher option to skip over the OIDC filter when the request is going to be handled by the JWT filter later.
Which issue(s) this PR fixes:
Fixes #2496
Release Notes: Yes