JWT Claim to Header extraction fails when claim is a URL-like string
#33,603 创建于 2024年4月17日
仓库指标
- Star
- (27,997 star)
- PR 合并指标
- (平均合并 8天) (30 天内合并 378 个 PR)
描述
When attempting to perform a JWT Claim to Header extraction, envoy will fail to do the extraction if the claim is a URL-like string, for instance http://example.org/some_claim, and the fail is possibly silently, as I've been unable to locate logs with the failure.
Given a claim like
{
"iss": "http://example.org/",
"sub": "johndoe@example.org",
"iat": 1712240289,
"exp": 1743776289,
"aud": "http://example.org/",
"flavour": "chocolate",
"parent_token": "abc",
"some_url_value": "http://example.org/about",
"http://example.org/parent_token": "xyz"
}
on the resulting request headers, the claim "http://example.org/parent_token": "xyz" will not have been extracted.
Here's the claim_to_headers block:
claim_to_headers:
- header_name: cookie
claim_name: flavour
- header_name: x-subject
claim_name: sub
- header_name: x-simple-claim
claim_name: parent_token
- header_name: x-url-value-claim
claim_name: some_url_value
- header_name: x-url-key-claim
claim_name: http://example.org/parent_token
- header_name: x-quoted-claim
claim_name: 'http://example.org/parent_token'
- header_name: x-regex-1-claim
claim_name: http:\/\/example.org\/parent_token
- header_name: x-regex-2-claim
claim_name: http:\\/\\/example\\.org\\/parent_token
In order to show this, I've created a docker compose based reproduction at CelsoSantos/envoy-jwt-claim-extraction, which contains a README.md detailing the steps to reproduce and showcase the issue.
Now, there are some open questions here, namely:
- Is this not expected functionality?
- If it IS expected functionality, where and why is it breaking? It's not clear from the
jwtlogs nor others inspected. Which log should expose the error message? - If it needs to be treated as a regex, what is the correct way to escape the string? go-format? javascript? Could an example be provided?