Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth flow failed while using SecurityPolicy with EnvoyGateway #38023

Closed
HannaManista opened this issue Jan 15, 2025 · 2 comments
Closed

OAuth flow failed while using SecurityPolicy with EnvoyGateway #38023

HannaManista opened this issue Jan 15, 2025 · 2 comments
Labels
area/oauth bug

Comments

@HannaManista
Copy link

Title: OAuth flow failed while using multiple authentication sessions with EnvoyGateway

Description:
I set up 2 separate SecurityPolicies (using api: gateway.envoyproxy.io/v1alpha1) for each of my HTPRoutes (from gateway.networking.k8s.io/v1). Both of the SecurityPolicies point to the same Azure application. Their configuration is as follows:

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: "prometheus-oidc" 
  namespace: monitoring
spec:
  oidc:
    clientID: {{ .Values.authentication.clientID }} # application ID of the EntraID OIDC application 
    clientSecret:
      group: ""
      kind: Secret
      name: {{ .Values.authentication.clientSecretName }} 
    logoutPath: /logout
    provider:
      issuer: https://login.microsoftonline.com/<tetnant-ID>/v2.0
    redirectURL: https://{{ .Values.prometheus.dnsZoneName }}/oauth2/callback 
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: {{ .Values.prometheus.httpRouteName }}

Firstly I set only one of the SecurityPolicies to authenticate the traffic to the HTTPRoute. It worked - routed to the login page and after logging in to the service page.
I wanted to enable the second SecurityPolicy for another HTTPRoute (another service). After its successful creation I called the service's url, was once again redirected to the authentication page, but after logging in I get the error page: "OAuth flow failed."
In the Envoy gateway's pod the log looks as following:

Image

the only information here is that it is a 401 error code, while with the same credentials I am authenticated by the same Azure application to another service (using different HTTPRoute).

The same behavior was observed when attaching 2 HTTPRoutes to one SecurityPolicy.
Also what is the way to track the authorized OIDC sessions in SecurityPolicy provided by EnvoyGateway? (Analogically to oauth2 which has redis.)
Config:
Envoy is installed using helm chart gateway-helm from docker.io/envoyproxy , chart version 1.2.1.
EnvoyProxy customization is only annotations:

apiVersion: gateway.envoyproxy.io/v1alpha1

kind: EnvoyProxy
metadata:
  name: custom-proxy-config
  namespace: {{ .Values.gateway.namespace }}
spec:
  provider:
    type: Kubernetes
    kubernetes:
      envoyService:
        annotations:
          service.beta.kubernetes.io/azure-load-balancer-internal: "true"
          service.beta.kubernetes.io/azure-load-balancer-internal-subnet: {{ .Values.gateway.loadbalancer.subnet }}
@HannaManista HannaManista added bug triage Issue requires triage labels Jan 15, 2025
@jmarantz jmarantz added area/oauth and removed triage Issue requires triage labels Jan 16, 2025
@yanavlasov
Copy link
Contributor

Should this go into https://github.com/envoyproxy/gateway ?

@HannaManista
Copy link
Author

Yes, I opened up a ticket there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oauth bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jmarantz @yanavlasov @HannaManista