Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate ID Token when OIDC is set #5414

Open
arkodg opened this issue Mar 5, 2025 · 11 comments
Open

Validate ID Token when OIDC is set #5414

arkodg opened this issue Mar 5, 2025 · 11 comments
Assignees
@markwinter
Labels
kind/feature new feature
Milestone
v1.4.0-rc.1

Comments

@arkodg
Copy link
Contributor

arkodg commented Mar 5, 2025

Description:

Describe the desired behavior, what scenario it enables and how it
would be used.

The OIDC spec calls out verifying the ID Token https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

This be be enabled by default or opt in

[optional Relevant Links:]

Any extra documentation required to understand the issue.
@arkodg arkodg added triage help wanted Extra attention is needed kind/feature new feature and removed triage labels Mar 5, 2025
@arkodg
Copy link
Contributor Author

arkodg commented Mar 5, 2025

cc @denniskniep @zhaohuabing

@markwinter
Copy link

markwinter commented Mar 6, 2025
edited
Loading

Hey, I'm looking to start working on Envoy Gateway and wouldn't mind picking this one up

@markwinter
Copy link

/assign @markwinter

@arkodg
Copy link
Contributor Author

arkodg commented Mar 6, 2025

thanks for picking this one up @markwinter, recommend starting off with an API PR

@arkodg arkodg removed the help wanted Extra attention is needed label Mar 6, 2025
@arkodg arkodg added this to the v1.4.0-rc.1 milestone Mar 6, 2025
@zhaohuabing
Copy link
Member

zhaohuabing commented Mar 7, 2025
edited
Loading

@arkodg @markwinter I believe this needs to be supported by the Envoy OAuth2 filter first, then we can enable validation in EG.

@arkodg
Copy link
Contributor Author

arkodg commented Mar 7, 2025

@zhaohuabing can't we add jwt authn if this field is set ?

@markwinter
Copy link

markwinter commented Mar 8, 2025
edited
Loading

I found related discussions here
#2425 (comment)
envoyproxy/envoy#32805

I checked that the forward_bearer_token in the oauth2 filter will set the access token in the Authorization header
https://github.com/envoyproxy/envoy/blob/22a07c31780d8b3b95460c0cc7333ab5e14b89ab/source/extensions/filters/http/oauth2/filter.cc#L882-L884

Perhaps this can be implemented by combining oauth2 filter and jwt filter as you mentioned @arkodg , and using jwtExtrator/from_cookies to get the id token from the cookie set by oauth2 filter.

I think I know the path forward here so will start on the API PR

@markwinter markwinter mentioned this issue Mar 8, 2025
Open
@markwinter
Copy link

markwinter commented Mar 8, 2025
edited
Loading

@arkodg Opened the API PR here if you could have a look please and see if aligns with what you were thinking #5443

@zhaohuabing
Copy link
Member

zhaohuabing commented Mar 10, 2025
edited
Loading

@zhaohuabing can't we add jwt authn if this field is set ?

@arkodg @markwinter I think JWT authentication is used for general-purpose authentication with JWT tokens. However, ID Token Validation requires additional checks specific to OIDC ID tokens. Some general checks, such as iss and claim validation, can be done with the JWT filter, but others—such as alg, nonce, and acr—require validation rules that are unique to OIDC and can't be achieved with the JWT filter.

If our immediate goal is to validate only the iss and claims, this can be handled within the JWT section of a SecurityPolicy. Introducing partial validation within the OIDC API does not provide significant value, as it would duplicate existing functionality of the JWT authn.

@markwinter
Copy link

markwinter commented Mar 10, 2025
edited
Loading

@zhaohuabing

Verifying the alg is part of JWT signed token verification, that's why JWKS can be supplied in the JWT Authentication filter.

https://github.com/envoyproxy/envoy/blob/eb398e9e4e0e33c8d68d5b9f86db88f236fd57c4/source/extensions/filters/http/jwt_authn/authenticator.cc#L324

https://github.com/google/jwt_verify_lib/blob/master/src/verify.cc#L210

The nonce and acr are oidc specific though and are dependent on whether they were requested in the initial authentication request

@zhaohuabing
Copy link
Member

@zhaohuabing

Verifying the alg is part of JWT signed token verification, that's why JWKS can be supplied in the JWT Authentication filter.

I mean this alg validation:

The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the id_token_signed_response_alg parameter during Registration

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markwinter markwinter

Labels
kind/feature new feature
Projects
None yet
Milestone
v1.4.0-rc.1
Development

No branches or pull requests
3 participants
@zhaohuabing @markwinter @arkodg