Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OAuth2 authentication is broken when using k8s with istio #17384

Open
deepu105 opened this issue Dec 22, 2021 · 14 comments
Open

OAuth2 authentication is broken when using k8s with istio #17384

deepu105 opened this issue Dec 22, 2021 · 14 comments
Labels
area: bug 🐛 $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ theme: kubernetes theme: OIDC/OAuth2 $300 https://www.jhipster.tech/bug-bounties/

Comments

@deepu105
Copy link
Member

deepu105 commented Dec 22, 2021
edited
Loading

When creating a microservice stack with Oauth2 auth and deploying to istio on GKE, authentication to microservices ends up in an infinite loop. The gateway application and authentication for that works, but if you try to access an API provided by one of the microservice it will go on a loop. I was trying to get my standard e-commerce ms stack working with Keycloak and Okta and ended up here. Still trying to figure out whats going on. I don't see any authorization headers being passed around. But I don't see those headers for gateway APIs as well, for example the customer endpoint served by store. I'm not sure if its an Istio issue though, probably how auth is setup on JH app side.

I'll get back to debugging it after holidays, so in the meantime if anyone wants to give it a shot please go ahead

Sample JDL


/*
 * This is a microservice e-commerce store sample with Gateway and three microservice applications
 * This uses Istio for native kubernetes service discovery and oauth2 authentication
 * This also creates the required Kubernetes deployment manifests and Istio routes
 */
 
application {
  config {
    baseName store
    applicationType gateway
    packageName com.okta.developer.store
    serviceDiscoveryType no
    authenticationType oauth2
    prodDatabaseType postgresql
    cacheProvider hazelcast
    buildTool gradle
    clientFramework react
  }
  entities *
}


application {
  config {
    baseName product
    applicationType microservice
    packageName com.okta.developer.product
    serviceDiscoveryType no
    authenticationType oauth2
    prodDatabaseType postgresql
    cacheProvider hazelcast
    buildTool gradle
    serverPort 8081
  }
  entities Product, ProductCategory, ProductOrder, OrderItem
}

application {
  config {
    baseName invoice
    applicationType microservice
    packageName com.okta.developer.invoice
    serviceDiscoveryType no
    authenticationType oauth2
    prodDatabaseType postgresql
    buildTool gradle
    serverPort 8082
  }
  entities Invoice, Shipment
}

application {
  config {
    baseName notification
    applicationType microservice
    packageName com.okta.developer.notification
    serviceDiscoveryType no
    authenticationType oauth2
    databaseType mongodb
    cacheProvider no
    enableHibernateCache false
    buildTool gradle
    serverPort 8083
  }
  entities Notification
}

/**
 * Entities for Store Gateway
 */

// Customer for the store
entity Customer {
    firstName String required
    lastName String required
    gender Gender required
    email String required pattern(/^[^@\s]+@[^@\s]+\.[^@\s]+$/)
    phone String required
    addressLine1 String required
    addressLine2 String
    city String required
    country String required
}

enum Gender {
    MALE, FEMALE, OTHER
}

relationship OneToOne {
    Customer{user(login) required} to User
}

service Customer with serviceClass
paginate Customer with pagination


/**
 * Entities for product microservice
 */


// Product sold by the Online store 
entity Product {
    name String required
    description String
    price BigDecimal required min(0)
    itemSize Size required
    image ImageBlob
}

enum Size {
    S, M, L, XL, XXL
}

entity ProductCategory {
    name String required
    description String
}

entity ProductOrder {
    placedDate Instant required
    status OrderStatus required
    code String required
    invoiceId Long
    customer String required
}

enum OrderStatus {
    COMPLETED, PENDING, CANCELLED
}

entity OrderItem {
    quantity Integer required min(0)
    totalPrice BigDecimal required min(0)
    status OrderItemStatus required
}

enum OrderItemStatus {
    AVAILABLE, OUT_OF_STOCK, BACK_ORDER
}

relationship ManyToOne {
	OrderItem{product(name) required} to Product
}

relationship OneToMany {
   ProductOrder{orderItem} to OrderItem{order(code) required} ,
   ProductCategory{product} to Product{productCategory(name)}
}

service Product, ProductCategory, ProductOrder, OrderItem with serviceClass
paginate Product, ProductOrder, OrderItem with pagination
microservice Product, ProductOrder, ProductCategory, OrderItem with product


/**
 * Entities for Invoice microservice
 */


// Invoice for sales
entity Invoice {
    code String required
    date Instant required
    details String
    status InvoiceStatus required
    paymentMethod PaymentMethod required
    paymentDate Instant required
    paymentAmount BigDecimal required
}

enum InvoiceStatus {
    PAID, ISSUED, CANCELLED
}

entity Shipment {
    trackingCode String
    date Instant required
    details String
}

enum PaymentMethod {
    CREDIT_CARD, CASH_ON_DELIVERY, PAYPAL
}

relationship OneToMany {
    Invoice{shipment} to Shipment{invoice(code) required}
}

service Invoice, Shipment with serviceClass
paginate Invoice, Shipment with pagination
microservice Invoice, Shipment with invoice


/**
 * Entities for notification microservice
 */


entity Notification {
    date Instant required
    details String
    sentDate Instant required
    format NotificationType required
    userId Long required
    productId Long required
}

enum NotificationType {
    EMAIL, SMS, PARCEL
}

microservice Notification with notification
@deepu105 deepu105 added $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ $200 https://www.jhipster.tech/bug-bounties/ labels Dec 22, 2021
@mohammadsrahman
Copy link

I experienced the same issue today. I managed to get authorisation to work I think by editing the gateway virtual service. For some reason looks like calls are being made to /service/api/api so adding the extra api to the virtual service kind of stopped the authorisation issue but I am experiencing other issues where entities are not being returned.

@mshima mshima mentioned this issue Dec 22, 2021
Merged
6 tasks
@mshima
Copy link
Member

mshima commented Dec 22, 2021

I recall seen this and created this branch #17388, but it needs more testing.
The expired token is ignored at the gateway side, but not at the microservice side, creating this infinite loop.

@pascalgrimaud pascalgrimaud changed the title Ouath2 authentication is broken when using k8s with istio OAuth2 authentication is broken when using k8s with istio Dec 22, 2021
@deepu105
Copy link
Member Author

deepu105 commented Dec 23, 2021 via email

@deepu105
Copy link
Member Author

I tested your branch but the looping issue is still present at least with Istio + k8s

@mshima
Copy link
Member

mshima commented Dec 24, 2021

The PR was from a previous problem I found.
Not actively working on this right now.

@deepu105
Copy link
Member Author

no worries

@deepu105
Copy link
Member Author

for some more context, normal microservices with reactive gateway works fine with OAuth, its only with Istio there is issue.

@taoyonggang
Copy link

This bug isn't fixed at latest version.

@taoyonggang
Copy link

The right solution is removing the auth fuction from code .And then add OPA config with Istio.

Ref:
https://istio.io/latest/blog/2021/better-external-authz/
https://medium.com/google-cloud/external-authorization-server-with-istio-1159b21682bb

@deepu105
Copy link
Member Author

deepu105 commented Jan 24, 2022 via email

@DanielFran
Copy link
Member

@taoyonggang Can you provide a PR?

@deepu105
Copy link
Member Author

deepu105 commented Jun 1, 2022

Hey @xetys could use some of your expertise here if you have time

@deepu105 deepu105 added $300 https://www.jhipster.tech/bug-bounties/ and removed $200 https://www.jhipster.tech/bug-bounties/ labels Aug 11, 2023
@ohmex
Copy link

ohmex commented Aug 31, 2023
edited
Loading

I wasted one full day before landing here !

@deepu105
Copy link
Member Author

deepu105 commented Sep 1, 2023

@ohmex do share what you learned. Maybe I missed something during my debugging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: bug 🐛 $$ bug-bounty $$ https://www.jhipster.tech/bug-bounties/ theme: kubernetes theme: OIDC/OAuth2 $300 https://www.jhipster.tech/bug-bounties/
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@ohmex @deepu105 @mshima @mohammadsrahman @DanielFran @taoyonggang @pascalgrimaud