Skip to content

Commit

Permalink
fix(discovery): fix if host of jwks endpoint is different
Browse files Browse the repository at this point in the history 
Signed-off-by: Anton Engelhardt <[email protected]>
  • Loading branch information
@antonengelhardt
antonengelhardt committed Sep 9, 2024
1 parent ea4723a commit 80e497e
Show file tree
Hide file tree
Showing 5 changed files with 87 additions and 7 deletions.
36 changes: 36 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,3 +202,39 @@ cargo-deny check advisories
```

These commands are also run in the CI pipeline.

## FAQ

> My OpenID provider uses a different endpoint for the jwks_uri. How can I configure this?
Google does exactly that:

```json
{
"jwks_uri": "https://www.googleapis.com/oauth2/v3/certs"
}

You can add the endpoint in your `envoy.yaml`-file like this:

```yaml
- name: google
connect_timeout: 5s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: google
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: accounts.google.com
port_value: 443
- endpoint:
address:
socket_address:
address: www.googleapis.com
port_value: 443
```

The rest should work fine.
36 changes: 35 additions & 1 deletion demo/configmap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,17 @@ data:
claims: "{\"id_token\":{\"groups\":null,\"username\":null}}"
client_secret: "redacted"
audience: qxgINfU3gutYjea8hEmpra5JG5jyqeAY
- name: "google (unusable, will not work)"
image: "https://upload.wikimedia.org/wikipedia/commons/thumb/2/2f/Google_2015_logo.svg/2560px-Google_2015_logo.svg.png"
config_endpoint: "https://accounts.google.com/.well-known/openid-configuration"
upstream_cluster: "google"
authority: "accounts.google.com"
redirect_uri: "http://localhost:10000/oidc/callback"
client_id: "google-client-id"
scope: "openid profile email"
claims: "{\"id_token\":{\"groups\":null,\"username\":null}}"
client_secret: "google-client-secret"
audience: "google-client-id"
vm_config:
runtime: "envoy.wasm.runtime.v8"
Expand All @@ -95,7 +106,7 @@ data:
port_value: 80
- name: auth0
connect_timeout: 5s
type: LOGICAL_DNS
type: STRICT_DNS
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: auth0
Expand All @@ -111,3 +122,26 @@ data:
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: "demo-wasm-oidc-plugin.eu.auth0.com"
- name: google
connect_timeout: 5s
type: STRICT_DNS
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: google
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: accounts.google.com
port_value: 443
- endpoint:
address:
socket_address:
address: www.googleapis.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: "accounts.google.com"
7 changes: 6 additions & 1 deletion envoy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,7 @@ static_resources:
hostname: "httpbin.org"
- name: google
connect_timeout: 5s
type: LOGICAL_DNS
type: STRICT_DNS
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: google
Expand All @@ -96,6 +96,11 @@ static_resources:
socket_address:
address: accounts.google.com
port_value: 443
- endpoint:
address:
socket_address:
address: www.googleapis.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
Expand Down
13 changes: 9 additions & 4 deletions k8s/configmap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ data:
aes_key: "i-am-a-forty-four-characters-long-string-key" # generate with `openssl rand -base64 32`
reload_interval_in_h: 1 # in hours
ticking_interval_in_ms: 5000 # in milliseconds
ticking_interval_in_ms: 500 # in milliseconds
open_id_configs:
- name: google
image: "https://upload.wikimedia.org/wikipedia/commons/thumb/2/2f/Google_2015_logo.svg/2560px-Google_2015_logo.svg.png"
Expand Down Expand Up @@ -97,7 +97,7 @@ data:
hostname: "httpbin.org" #! This is the hostname of the service you want to access.
- name: google #! must match the upstream_cluster in the plugin's configuration.
connect_timeout: 5s
type: LOGICAL_DNS
type: STRICT_DNS
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: google
Expand All @@ -106,10 +106,15 @@ data:
- endpoint:
address:
socket_address:
address: your-domain.com #! Your Auth Server's domain name.
address: accounts.google.com #! Your Auth Server's domain name.
port_value: 443
- endpoint:
address:
socket_address:
address: www.googleapis.com #! Your Auth Server's domain name.
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: "your-domain.com" #! Here as well.
sni: "accounts.google.com" #! Your Auth Server's domain name.
2 changes: 1 addition & 1 deletion src/discovery.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -311,7 +311,7 @@ impl RootContext for Root {
vec![
(":method", "GET"),
(":path", open_id_response.jwks_uri.path()),
(":authority", resolver.open_id_config.authority.as_str()),
(":authority", open_id_response.jwks_uri.host_str().unwrap()),
],
None,
vec![],
Expand Down

0 comments on commit 80e497e

Please sign in to comment.