Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Azure Ad (Entra-id) and JWT - Jwt verification fails

17 views
Skip to first unread message

Gwenn Etourneau

unread,
Sep 18, 2024, 4:21:18 AM9/18/24
to envoy-users
Hi team,

I try to use JWT auth filter with Azure AD, but I can't get is working, the JWT verification failed and the debug and trace log doesn't say much

From the logs


[2024-09-18 16:52:58.763][52962069][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:85] onSuccess: fetch pubkey [uri = https://login.microsoftonline.com/(tenant-id)/discovery/v2.0/keys]: success
[2024-09-18 16:52:58.763][52962069][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:91] onSuccess: fetch pubkey [uri = https://login.microsoftonline.com/
(tenant-id)/discovery/v2.0/keys]: succeeded
[2024-09-18 16:52:58.764][52962069][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:428] azuread: JWT token verification completed with: Jwt verification fails
[2024-09-18 16:52:58.764][52962069][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:432] status is: Jwt verification fails
[2024-09-18 16:52:58.764][52962069][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:111] Jwt authentication completed with: Jwt verification fails



Here my configuration, the oauth2 filter works without issue, but I can't go over the JWT one.



static_resources:
  secrets:
  - name: token
    generic_secret:
      secret:
        inline_string: secreet
  - name: hmac
    generic_secret:
    # head -c 32 /dev/urandom | base64
      secret:
        inline_string: #head -c 32 /dev/urandom | base64
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 8000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: upstream
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: upstream-service
          http_filters:
          - name: envoy.filters.http.oauth2
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
              config:
                token_endpoint:
                  cluster: azb2c
                  uri: https://login.microsoftonline.com/(tenant-id)/oauth2/v2.0/token
                  timeout: 5s
                authorization_endpoint: https://login.microsoftonline.com/(tenant-id)/oauth2/v2.0/authorize
                redirect_uri: "http://localhost:8000/callback"
                redirect_path_matcher:
                  path:
                    exact: /callback
                signout_path:
                  path:
                    exact: /signout
                forward_bearer_token: true
                credentials:
                  client_id: #clientid
                  token_secret:
                    name: token
                  hmac_secret:
                    name: hmac
                auth_scopes:
                - openid
                - email
                - user.Read
                - profile
          - name: envoy.filters.http.jwt_authn
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
              providers:
                azuread:
                  remote_jwks:
                    http_uri:
                      uri: https://login.microsoftonline.com/(tenant-id)/discovery/v2.0/keys
                      cluster: azb2c
                      timeout: 5s
                    cache_duration: 10s
              rules:
                 - match:
                     prefix: /
                   requires:
                     provider_name: azuread
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
  clusters:
  - name: upstream-service
    connect_timeout: 2s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: upstream-service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: localhost
                port_value: 3000
  - name: azb2c
    connect_timeout: 100s
    type: strict_dns
    dns_lookup_family: V4_ONLY
    lb_policy: round_robin
    load_assignment:
      cluster_name: azb2c
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: login.microsoftonline.com
                port_value: 443
    transport_socket:
      name: envoy.transport_sockets.tls
      typed_config:
        "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
        sni: login.microsoftonline.com




Thanks

Yan Avlasov

unread,
Sep 20, 2024, 7:26:44 PM9/20/24
to Gwenn Etourneau, envoy-users
You can also ask in the envoy-users or envoy-dev Slack channel. See https://github.com/envoyproxy/envoy/blob/main/README.md#contact

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/e6e8d6d1-5aa5-4ec4-a80e-7813bee75924n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages