Envoy: Invalid inline jwks for issuer with Google certificate

Created on 24 Jan 2019  路  6Comments  路  Source: envoyproxy/envoy

Invalid inline jwks for issuer with Google certificate

Description:

I am trying to authenticate requests with Firebase with Istio which is using Envoy as a sidecar Kubernetes . I followed the documentation here:
https://istio.io/docs/tasks/security/authn-policy/#end-user-authentication

This works great!

Then I updated to the Google Firebase configuration (my project ID is aura-dev)

issuer: "https://securetoken.google.com/aura-dev"
jwksUri: "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"

I am experiencing the following error in the log:

[helloworld-6747c96bc7-j2vsh istio-proxy] [2019-01-24 06:02:59.729][18][warning][filter] ./src/envoy/http/jwt_auth/pubkey_cache.h:84] Invalid inline jwks for issuer: https://securetoken.google.com/aura-dev, jwks: {
[helloworld-6747c96bc7-j2vsh istio-proxy]   "91fc60858e1c4133c82216d53dd179fa41f8430c": "-----BEGIN CERTIFICATE-----\nMIIDHDCCAgSgAwIBA.......",

It seems Envoy has an issue reading the certificate information.

Repro steps:

Use the following certificate and issue:

issuer: "https://securetoken.google.com/aura-dev"
jwksUri: "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"

Call Stack:

See above

question
Source
picture jcurlier

Most helpful comment

I found the valid file for Firebase for the certificates:

https://www.googleapis.com/service_accounts/v1/jwk/[email protected]"
picture jcurlier on 24 Jan 2019
👍52

All 6 comments

Istio proxy is NOT using Envoy jwt_authn fitler yet. You already opened an issue in Istio/porxy.

So this one should be closed.

qiwzhang picture qiwzhang on 24 Jan 2019

The failing case using the URL https://www.googleapis.com/robot/v1/metadata/x509/[email protected] as the jwksUri is due that the key format in this URL is not supported by Istio Envoy proxy. The format of the jwks acceptable by Istio proxy is defined by the standard https://tools.ietf.org/html/rfc7517. Please refer to https://tools.ietf.org/html/rfc7517 for the format of the json web key.

The jwks in the working config ("https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json") is of the following format, which is consistent with the json web key format in https://tools.ietf.org/html/rfc7517.
"keys": [
{
"e": "AQAB",
"kid": "DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ",
"kty": "RSA",
"n": "xAE...."
}
]

The key in the failing config ("https://www.googleapis.com/robot/v1/metadata/x509/[email protected]") is of the following format, which is not consistent with the json web key format in https://tools.ietf.org/html/rfc7517.
{
"91fc60858e1c4133c82216d53dd179fa41f8430c": "-----BEGIN CERTIFICATE-----....-----END CERTIFICATE-----n",
"859a641a1b82cc3b50a801bf50640f38257d1299": "-----BEGIN CERTIFICATE-----... -----END CERTIFICATE-----n"
}

lei-tang picture lei-tang on 24 Jan 2019
👍2

Thanks @lei-tang - yes you can close - I don't think Google will fix this for me :)

jcurlier picture jcurlier on 24 Jan 2019

I found the valid file for Firebase for the certificates:

https://www.googleapis.com/service_accounts/v1/jwk/[email protected]"
jcurlier picture jcurlier on 24 Jan 2019
👍52

@jcurlier you can close this issue. Either me nor @lei-tang can close it.
Again, this is not a Envoy issue. It is an Istio issue.

qiwzhang picture qiwzhang on 24 Jan 2019

Sure - thanks for your help

jcurlier picture jcurlier on 25 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

anatolebeuzon picture anatolebeuzon  路  3Comments
phlax picture phlax  路  3Comments
jeremybaumont picture jeremybaumont  路  3Comments
weixiao-huang picture weixiao-huang  路  3Comments
alkov-ibm picture alkov-ibm  路  3Comments