undefined in redirect URL

[mlushpenko]

Trying to make eas work with istio, almost got it working (I will share docs later), but getting undefined appended to redirect URI for some reason, any idea what that may be?

Logs from eas (notice bookinfo.dev.k8s.hal24k.nlundefined):

{"service":"external-auth-server","level":"verbose","message":"parsed state redirect uri: {\"scheme\":\"http\",\"host\":\"bookinfo.dev.k8s.hal24k.nlundefined\",\"path\":\"\",\"reference\":\"absolute\"}"}
{"service":"external-auth-server","level":"verbose","message":"parsed request uri: {\"path\":\"/oauth/callback\",\"query\":\"__eas_oauth_handler__=authorization_callback&code=b06e7a405446796a4ea28f2ab24bf306391745767af1a809215a1017eed9da57&scope=openid%20email%20profile&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295d0d585170745e083ab90d4e39e53bf5e93a456feb204a9af6bb0cea606164fdcab94bc54&session_state=5iumlRGmL2bNBJjetsd9lSLjPHrjZeT5Uwor_TfkGaM.6b769f0d8d051e6b9c81221e413f82a1\",\"reference\":\"relative\"}"}
{"service":"external-auth-server","level":"verbose","message":"parsed redirect uri: {\"scheme\":\"http\",\"host\":\"bookinfo.dev.k8s.hal24k.nlundefined\",\"path\":\"\",\"query\":\"__eas_oauth_handler__=authorization_callback&code=b06e7a405446796a4ea28f2ab24bf306391745767af1a809215a1017eed9da57&scope=openid%20email%20profile&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b63e8af7e76060fb34f00f21efc08d5dd4995635828e53bf5e93a456feb204a9af6bb0cea606164fdcab94bc54&session_state=5iumlRGmL2bNBJjetsd9lSLjPHrjZeT5Uwor_TfkGaM.6b769f0d8d051e6b9c81221e413f82a1\",\"reference\":\"absolute\"}"}
{"service":"external-auth-server","level":"info","message":"redirecting browser to: \"http://bookinfo.dev.k8s.hal24k.nlundefined/?__eas_oauth_handler__=authorization_callback&

Somewhere here, but not sure exactly what is the problem

external-auth-server/src/plugin/oauth/index.js

Line 140 in 8d97265

"parsed state redirect uri: %j",

[mlushpenko]

Maybe something wrong with my token, I see /productpage gets added to the token but not sure it should be there and not sure why it gets added:

{"service":"external-auth-server","level":"silly","message":"verify params: {\"config_token\":\"732h5VnooKEmKpurIMxZduH3yB4jLEy7D+f1lC228Pwn02gMjG7LQiRIX7kvH6A0R88Fun1dUGX95dg==/productpage\"}"}
{"service":"external-auth-server","level":"debug","message":"config token: {\"eas\":{\"plugins\":[{\"type\":\"oidc\",\"issuer\":{\"discover_url\":\"https://haldev-oauth.hal24k.nl/.well-known/openid-configuration\"},\"client\":{\"client_id\":\"k8s_ambassador\",\"client_secret\":\"secret\"},\"scopes\":[\"openid\",\"email\",\"profile\"],\"redirect_uri\":\"https://istio-eas.hal24k.nl/oauth/callback\",\"features\":{\"cookie_expiry\":false,\"userinfo_expiry\":true,\"session_expiry\":true,\"session_expiry_refresh_window\":86400,\"session_retain_id\":true,\"refresh_access_token\":true,\"fetch_userinfo\":true,\"introspect_access_token\":false,\"authorization_token\":\"access_token\"},\"assertions\":{\"exp\":true,\"nbf\":false,\"iss\":true,\"userinfo\":[],\"id_token\":[]},\"cookie\":{}}]},\"iat\":1564789403,\"audMD5\":\"ae593924d3442c74e05\"}"}
{"service":"external-auth-server","level":"info","message":"starting verify for plugin: oidc"}
{"service":"external-auth-server","level":"verbose","message":"parent request info: {\"uri\":\"https://bookinfo.dev.k8s.hal24k.nlundefined\",\"parsedUri\":{\"scheme\":\"https\",\"host\":\"bookinfo.dev.k8s.hal24k.nlundefined\",\"path\":\"\",\"reference\":\"absolute\"},\"parsedQuery\":{}}"}

[mlushpenko]

here is my envoy filter:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: auth-filter
  namespace: istio-ingress
spec:
  filters:
  - filterConfig:
      failure_mode_allow: false
      httpService:
        authorizationRequest:
          allowedHeaders:
            patterns:
            - exact: cookie
            - exact: X-Forwarded-Host
            - exact: X-Forwarded-Method
            - exact: X-Forwarded-Proto
            - exact: X-Forwarded-Uri
        pathPrefix: /verify?config_token=732h5VnooKEmKpurIPwn02gMjG7LQiRIX7kvH6A0R88Fun1dUGX95dg%3D%3D
        serverUri:
          cluster: outbound|80||eas-external-auth-server.external-auth-server.svc.cluster.local
          timeout: 10s
          uri: http://eas-external-auth-server.external-auth-server.svc.cluster.local
      statusOnError:
        code: Forbidden
      withRequestBody:
        allowPartialMessage: true
        maxRequestBytes: 4096
    filterName: envoy.ext_authz
    filterType: HTTP
    insertPosition:
      index: FIRST
    listenerMatch:
      listenerProtocol: HTTP
      listenerType: GATEWAY
      portNumber: 80
  workloadLabels:
    istio: ingressgateway

[travisghansen]

Great! Istio support would be fantastic! My guess is x-forwarded-uri is not getting set by istio/envoy. You could confirm that by setting your log level to silly and look for this data: https://github.com/travisghansen/external-auth-server/blob/master/src/server.js#L85

The header should contain everything after the host in a complete URI including query params.

There are alternatives if you can inject into the request the complete URI (scheme/host/path/query) as a header then you can use x-eas-request-uri which takes precedence over the other headers/etc.

[mlushpenko]

verify request details looks good if I understand correctly ("host\":\"bookinfo.dev.k8s.dimension.ws\") but indeed x-forwarded-uri isn't there:

{
  "service": "external-auth-server",
  "level": "silly",
  "message": "verify request details: {\"url\":\"/verify?config_token=732un1dUGX95dg%3D%3D/productpage\",\"params\":{},\"query\":{\"config_token\":\"732h595dg==/productpage\"},\"http_method\":\"GET\",\"http_version\":\"1.1\",\"headers\":{\"host\":\"bookinfo.dev.k8s.dimension.ws\",\"content-length\":\"0\",\"x-request-id\":\"974a595f-a610-4b48-be27-e209a2aafc18\",\"x-forwarded-for\":\"10.42.2.0,10.42.1.141\",\"accept\":\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\",\"user-agent\":\"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/75.0.3770.142 Chrome/75.0.3770.142 Safari/537.36\",\"accept-encoding\":\"gzip, deflate\",\"x-forwarded-proto\":\"http\",\"pragma\":\"no-cache\",\"accept-language\":\"en-US,en;q=0.9,nl;q=0.8\",\"cache-control\":\"no-cache\",\"upgrade-insecure-requests\":\"1\",\"cookie\":\"auth=eyJhbg2-JMg; _eas_oauth_csrf=s%3AcYZGSsFhz4F93r9NTnt7Qk\",\"x-forwarded-client-cert\":\"By=spiffe://cluster.local/ns/external-auth-server/sa/default;Hash=8bc2b663d069540628a294019da29cc98;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/istio-ingress/sa/istio-ingressgateway-service-account\",\"x-b3-traceid\":\"dff4c77d7348a30dd259\",\"x-b3-spanid\":\"f2e00dd259\",\"x-b3-sampled\":\"0\"},\"body\":{}}"
}

I've tried this config as well:

authorizationRequest:
          allowedHeaders:
            patterns:
            - regex: ".*"

and still the same

[travisghansen]

Given that istio is based on envoy as well as ambassador set the path prefix the same way you did for ambassador...ie: /ambassador/verify-params-url/...

After using the above route the request uri will be set by the app resolving that issue.

If this works I'll probably rename the route to be envoy instead of ambassador.

[mlushpenko]

@travisghansen thanks, that was it, I think that URL idea crossed my mind once but I didn't dare to try it :)

Now getting 503, although OIDC server logs show success.

"end verify pipeline with status: 503"

We already have another solution where my colleague actually partially rewrote ambassador-oidc to do what your project is doing more or less - I mean part about injecting headers and some more :) He is passing full id_token as header, is it also possible here?

Just some more docs for you.
Istio gateway config (allow https ingress traffic for callback):

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: eas-gateway
  namespace: istio-ingress
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - istio-eas.hal24k.nl
    port:
      name: https-eas
      number: 443
      protocol: HTTPS
    tls:
      credentialName: letsencrypt
      mode: SIMPLE

And virtual service (backend routing):

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: eas-callback
  namespace: external-auth-server
spec:
  gateways:
  - istio-ingress/eas-gateway
  hosts:
  - istio-eas.hal24k.nl
  http:
  - route:
    - destination:
        host: eas-external-auth-server
        port:
          number: 80

[travisghansen]

Yeah you can pass the full id_token down to the backing service either by setting the authorization_token feature in the oidc plugin or by using custom_service_header (https://github.com/travisghansen/external-auth-server/blob/master/HEADERS.md).

I think I had some way to specify whether to send the encoded or decoded value but don't recall the specifics...which do you want?

[travisghansen]

As an FYI I've been working on some other projects the last few weeks but I'll likely have some time later this week to revisit eas and make a new release...

[mlushpenko]

Colleague used raw token, so I guess it needs to be encoded, can verify tomorrow. New release sounds great, hope I provided you with enough input so far at least for documentation. Istio is quite powerful but also quite a lot of work to setup properly.

So, I guess if I specify id_token here, it will be available to the beackend services under Authorization header

And then can be used for istio end-user authentication and finally we should be able to restrict access based on groups as id_token will have those claims

spec:
  subjects:
  - properties:
      request.auth.claims[groups]: "group1"

[travisghansen]

Yeah, I believe that gets sent down encoded as the full jwt but you'll need to confirm.

[mlushpenko]

We are kinda stuck - any idea why 503 can be returned from eas after successful authentication?
Any logs I can provide?

I think this is the full log of the request:

{"service":"external-auth-server","level":"silly","message":"verify request details: {\"url\":\"/ambassador/verify-params-url/%7B%22config_token%22%3A%22732h5VnooKEmKpurIMxZduH3yBijUlAs2V18%2BF0eop17zkpKVdl%2FwO8%2B3Crcf0Fymm1D5fhGKS%2FvbARSIm%2FeeOfj5WGUk0M9614D9vzqyAsLiaHx37M%2BMooY2OZad%2FV5QMokIG4uBMOAmJLqav%2FVpF%2Bg2SwjZFfJP4fc%2FiSmOgbKO5qL7D5mvQtOZLaKpAdofpU79lplF8W8lF9DwAkmQfHIpLxZDaIFdzyjhVlqlVbumFN6n%2BDGxZGpbbR6btkukZIMjIL00ywPDCycIv4ovL7XF2CyoCaUH8tFGjRtZrFwrvtyAxa4CZWdyjAsFaMdLfuA4XaCWsq69luRhdzFlHVmCctZ9NhvrOONuytmGAQVx%2BFsROIYOQRhLYbjPdfHgJeZQrlhybysuXQ11ljfnBlUbnfrkGjnHcQhJuiIHvapv3brZYcmT5FrNhfdgb0uPFojAZEl92xqMpN8qhxsrFBRjwCdHwxCTBUOxS8ciiKcU5JFmXPCF9B0SX%2B2QNTjCZ47R1NkimXw9hH4I9dx3QHOyZQxoaseYUEDRinw85K9WepmaeduUyFd6NJcCtvVSJhiwPkdBH4H%2FNFeWaBjQKLQ980SJu1ruc48l5D7PjLoZTf6ZMC%2Boia54EFATUR%2F7LndExUvBoGAArtDyjcy5cLLJW97u9Sku7W75j9pTmErtkWhD%2Fm7YHSGxrsZKneJQuOF00NRy6UItj4zirfqzYkMEuDM3%2F5I6wIWBhi1VCq%2FuajTM%2FJ2UjfLwbW%2FdyQeOzrHNln1yjuDqWUNrU9EH%2Bxsi2eMxL2TRG4XCSUgwOLNSrGsQhWgvbRsqL7mq%2BRnVtZccjDxzUWpuZfXaPYIZkwHZIesl7CdUCX4yHUYcR3zhpXu4Pj7F%2BJmYRO%2FxzPwQ6QWP%2BTMMELInrYKMy39T%2Fhbt%2FnV0OYLBtIOIOhAUcb722q24AAxQWd4DIeyiVobucaFmq0xyiB30yieLbJa9q4VB46BI3yhxLkXe3Ciya5W%2F8qzgZfVvIJNh2Gf8SD5LcCwRhcSrHYMLwRf%2FY1L%2BQ%2BWrs%2BHLpy75xoFSy9oneHCJgJ8YLfp7GxGIZsixNgc%2FRVZuh4hsN9XlPLtsfSctV8oV7nWkQlo%2FH1wBtSUzTFP9Rp1MjQmqIYUnwHihUUCUt0558d7Nvgwdi9wfsGSr85XG7jp7ZpzAJYWHrTweI8C7ra3AgcAYFd6iLDO9S1HPrKyprUkfnI%2BNfbRDzGjN%2BCj6sVKTAHUY%2Fh54Fte8MkRX%2FJ6v1s0ZckSDzjbpc69%2BKuvHGgxW4%2FgPai%2FDnHNFwk1ZAk%2FtxpivBMZSkZBLC5qG0XkeUeFQ8sk64ywgDY%2BQrNznTX98vWQ43EIeVfGDuzLs14dLcSUi8iukN3c7t6LpJtHnWnTYOUKy%2BVQslvAlJowPD7Obg0Okte6uwDM4ymCvVUkr7nyQC9KMgdKf5GJEoHv%2BTgVKQmhk%2FnGVkEElWhBOG9vMm6gM5HJfxJakQ%3D%3D%22%2C%22fallback_plugin%22%3A0%7D/productpage\",\"params\":{\"0\":\"productpage\",\"verify_params\":\"{\\\"config_token\\\":\\\"732h5VnooKEmKpurIMxZduH3yBijUlAs2V18+F0eop17zkpKVdl/wO8+3Crcf0Fymm1D5fhGKS/vbARSIm/eeOfj5WGUk0M9614D9vzqyAsLiaHx37M+MooY2OZad/V5QMokIG4uBMOAmJLqav/VpF+g2SwjZFfJP4fc/iSmOgbKO5qL7D5mvQtOZLaKpAdofpU79lplF8W8lF9DwAkmQfHIpLxZDaIFdzyjhVlqlVbumFN6n+DGxZGpbbR6btkukZIMjIL00ywPDCycIv4ovL7XF2CyoCaUH8tFGjRtZrFwrvtyAxa4CZWdyjAsFaMdLfuA4XaCWsq69luRhdzFlHVmCctZ9NhvrOONuytmGAQVx+FsROIYOQRhLYbjPdfHgJeZQrlhybysuXQ11ljfnBlUbnfrkGjnHcQhJuiIHvapv3brZYcmT5FrNhfdgb0uPFojAZEl92xqMpN8qhxsrFBRjwCdHwxCTBUOxS8ciiKcU5JFmXPCF9B0SX+2QNTjCZ47R1NkimXw9hH4I9dx3QHOyZQxoaseYUEDRinw85K9WepmaeduUyFd6NJcCtvVSJhiwPkdBH4H/NFeWaBjQKLQ980SJu1ruc48l5D7PjLoZTf6ZMC+oia54EFATUR/7LndExUvBoGAArtDyjcy5cLLJW97u9Sku7W75j9pTmErtkWhD/m7YHSGxrsZKneJQuOF00NRy6UItj4zirfqzYkMEuDM3/5I6wIWBhi1VCq/uajTM/J2UjfLwbW/dyQeOzrHNln1yjuDqWUNrU9EH+xsi2eMxL2TRG4XCSUgwOLNSrGsQhWgvbRsqL7mq+RnVtZccjDxzUWpuZfXaPYIZkwHZIesl7CdUCX4yHUYcR3zhpXu4Pj7F+JmYRO/xzPwQ6QWP+TMMELInrYKMy39T/hbt/nV0OYLBtIOIOhAUcb722q24AAxQWd4DIeyiVobucaFmq0xyiB30yieLbJa9q4VB46BI3yhxLkXe3Ciya5W/8qzgZfVvIJNh2Gf8SD5LcCwRhcSrHYMLwRf/Y1L+Q+Wrs+HLpy75xoFSy9oneHCJgJ8YLfp7GxGIZsixNgc/RVZuh4hsN9XlPLtsfSctV8oV7nWkQlo/H1wBtSUzTFP9Rp1MjQmqIYUnwHihUUCUt0558d7Nvgwdi9wfsGSr85XG7jp7ZpzAJYWHrTweI8C7ra3AgcAYFd6iLDO9S1HPrKyprUkfnI+NfbRDzGjN+Cj6sVKTAHUY/h54Fte8MkRX/J6v1s0ZckSDzjbpc69+KuvHGgxW4/gPai/DnHNFwk1ZAk/txpivBMZSkZBLC5qG0XkeUeFQ8sk64ywgDY+QrNznTX98vWQ43EIeVfGDuzLs14dLcSUi8iukN3c7t6LpJtHnWnTYOUKy+VQslvAlJowPD7Obg0Okte6uwDM4ymCvVUkr7nyQC9KMgdKf5GJEoHv+TgVKQmhk/nGVkEElWhBOG9vMm6gM5HJfxJakQ==\\\",\\\"fallback_plugin\\\":0}\"},\"query\":{},\"http_method\":\"GET\",\"http_version\":\"1.1\",\"headers\":{\"host\":\"bookinfo.dev.k8s.dimension.ws\",\"content-length\":\"0\",\"x-forwarded-for\":\"10.42.1.44\",\"x-envoy-expected-rq-timeout-ms\":\"10000\",\"x-forwarded-proto\":\"https\",\"x-envoy-internal\":\"true\",\"x-request-id\":\"67b462ac-e7bf-40f8-87c6-e70a7241b367\",\"x-forwarded-client-cert\":\"By=spiffe://cluster.local/ns/external-auth-server/sa/default;Hash=55c3bc6c199420dcb8f53e6a854e1617329b848e0f0ec28c7cf006922c8f5a15;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/istio-ingress/sa/istio-ingressgateway-service-account\",\"x-b3-traceid\":\"071b655cfd470956589a8157aeda844b\",\"x-b3-spanid\":\"589a8157aeda844b\",\"x-b3-sampled\":\"0\",\"x-forwarded-uri\":\"/productpage\"},\"body\":{}}"}
{"message":"starting verify pipeline","level":"info","service":"external-auth-server"}
{"service":"external-auth-server","level":"silly","message":"verify params: {\"config_token\":\"732h5VnooKEmKpurIMxZduH3yBijUlAs2V18+F0eop17zkpKVdl/wO8+3Crcf0Fymm1D5fhGKS/vbARSIm/eeOfj5WGUk0M9614D9vzqyAsLiaHx37M+MooY2OZad/V5QMokIG4uBMOAmJLqav/VpF+g2SwjZFfJP4fc/iSmOgbKO5qL7D5mvQtOZLaKpAdofpU79lplF8W8lF9DwAkmQfHIpLxZDaIFdzyjhVlqlVbumFN6n+DGxZGpbbR6btkukZIMjIL00ywPDCycIv4ovL7XF2CyoCaUH8tFGjRtZrFwrvtyAxa4CZWdyjAsFaMdLfuA4XaCWsq69luRhdzFlHVmCctZ9NhvrOONuytmGAQVx+FsROIYOQRhLYbjPdfHgJeZQrlhybysuXQ11ljfnBlUbnfrkGjnHcQhJuiIHvapv3brZYcmT5FrNhfdgb0uPFojAZEl92xqMpN8qhxsrFBRjwCdHwxCTBUOxS8ciiKcU5JFmXPCF9B0SX+2QNTjCZ47R1NkimXw9hH4I9dx3QHOyZQxoaseYUEDRinw85K9WepmaeduUyFd6NJcCtvVSJhiwPkdBH4H/NFeWaBjQKLQ980SJu1ruc48l5D7PjLoZTf6ZMC+oia54EFATUR/7LndExUvBoGAArtDyjcy5cLLJW97u9Sku7W75j9pTmErtkWhD/m7YHSGxrsZKneJQuOF00NRy6UItj4zirfqzYkMEuDM3/5I6wIWBhi1VCq/uajTM/J2UjfLwbW/dyQeOzrHNln1yjuDqWUNrU9EH+xsi2eMxL2TRG4XCSUgwOLNSrGsQhWgvbRsqL7mq+RnVtZccjDxzUWpuZfXaPYIZkwHZIesl7CdUCX4yHUYcR3zhpXu4Pj7F+JmYRO/xzPwQ6QWP+TMMELInrYKMy39T/hbt/nV0OYLBtIOIOhAUcb722q24AAxQWd4DIeyiVobucaFmq0xyiB30yieLbJa9q4VB46BI3yhxLkXe3Ciya5W/8qzgZfVvIJNh2Gf8SD5LcCwRhcSrHYMLwRf/Y1L+Q+Wrs+HLpy75xoFSy9oneHCJgJ8YLfp7GxGIZsixNgc/RVZuh4hsN9XlPLtsfSctV8oV7nWkQlo/H1wBtSUzTFP9Rp1MjQmqIYUnwHihUUCUt0558d7Nvgwdi9wfsGSr85XG7jp7ZpzAJYWHrTweI8C7ra3AgcAYFd6iLDO9S1HPrKyprUkfnI+NfbRDzGjN+Cj6sVKTAHUY/h54Fte8MkRX/J6v1s0ZckSDzjbpc69+KuvHGgxW4/gPai/DnHNFwk1ZAk/txpivBMZSkZBLC5qG0XkeUeFQ8sk64ywgDY+QrNznTX98vWQ43EIeVfGDuzLs14dLcSUi8iukN3c7t6LpJtHnWnTYOUKy+VQslvAlJowPD7Obg0Okte6uwDM4ymCvVUkr7nyQC9KMgdKf5GJEoHv+TgVKQmhk/nGVkEElWhBOG9vMm6gM5HJfxJakQ==\",\"fallback_plugin\":0}"}
{"service":"external-auth-server","level":"debug","message":"config token: {\"eas\":{\"plugins\":[{\"type\":\"oidc\",\"issuer\":{\"discover_url\":\"https://haldev-oauth.dimension.ws/.well-known/openid-configuration\"},\"client\":{\"client_id\":\"k8s_ambassador\",\"client_secret\":\"secret\"},\"scopes\":[\"openid\",\"email\",\"profile\"],\"redirect_uri\":\"https://istio-eas.hal24k.nl/oauth/callback\",\"features\":{\"cookie_expiry\":false,\"userinfo_expiry\":true,\"session_expiry\":true,\"session_expiry_refresh_window\":86400,\"session_retain_id\":true,\"refresh_access_token\":true,\"fetch_userinfo\":true,\"introspect_access_token\":false,\"authorization_token\":\"id_token\"},\"assertions\":{\"exp\":true,\"nbf\":false,\"iss\":true,\"userinfo\":[],\"id_token\":[]},\"cookie\":{\"domain\":\"k8s.dimension.ws\"},\"custom_service_headers\":{\"X-Id-Token\":{\"source\":\"id_token\",\"query_engine\":\"jp\"}}}]},\"iat\":1565096214,\"audMD5\":\"0ceafe0126c0331b87524e5d10f44e40\"}"}
{"service":"external-auth-server","level":"info","message":"starting verify for plugin: oidc"}
{"service":"external-auth-server","level":"verbose","message":"parent request info: {\"uri\":\"https://bookinfo.dev.k8s.dimension.ws/productpage\",\"parsedUri\":{\"scheme\":\"https\",\"host\":\"bookinfo.dev.k8s.dimension.ws\",\"path\":\"/productpage\",\"reference\":\"absolute\"},\"parsedQuery\":{}}"}
{"service":"external-auth-server","level":"verbose","message":"audMD5: 0ceafe0126c0331b87524e5d10f44e40"}
{"service":"external-auth-server","level":"verbose","message":"cooking name: _eas_oauth_session"}
{"service":"external-auth-server","level":"verbose","message":"redirect_uri: https://istio-eas.hal24k.nl/oauth/callback?__eas_oauth_handler__=authorization_callback"}
{"service":"external-auth-server","level":"verbose","message":"callback redirect_uri: https://haldev-oauth.dimension.ws/connect/authorize?client_id=k8s_ambassador&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fistio-eas.hal24k.nl%2Foauth%2Fcallback%3F__eas_oauth_handler__%3Dauthorization_callback&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888"}
{"service":"external-auth-server","level":"debug","message":"plugin response {\"statusCode\":302,\"statusMessage\":\"\",\"body\":\"\",\"cookies\":[[\"_eas_oauth_csrf\",\"G/W+z1QTQiaJEvbwC3Y3DiGBg7ywi7b7ua0NYqbPyYvvx9UzRykJik6CorNlu0NY\",{\"expires\":\"2019-08-07T01:48:55.483Z\",\"httpOnly\":true,\"signed\":true}]],\"clearCookies\":[],\"headers\":{\"Location\":\"https://haldev-oauth.dimension.ws/connect/authorize?client_id=k8s_ambassador&scope=openid%20email%20profile&response_type=code&redirect_uri=https%3A%2F%2Fistio-eas.hal24k.nl%2Foauth%2Fcallback%3F__eas_oauth_handler__%3Dauthorization_callback&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888\"},\"authenticationData\":{},\"plugin\":{\"server\":{},\"config\":{\"type\":\"oidc\",\"issuer\":{\"discover_url\":\"https://haldev-oauth.dimension.ws/.well-known/openid-configuration\"},\"client\":{\"client_id\":\"k8s_ambassador\",\"client_secret\":\"secret\"},\"scopes\":[\"openid\",\"email\",\"profile\"],\"redirect_uri\":\"https://istio-eas.hal24k.nl/oauth/callback\",\"features\":{\"cookie_expiry\":false,\"userinfo_expiry\":true,\"session_expiry\":true,\"session_expiry_refresh_window\":86400,\"session_retain_id\":true,\"refresh_access_token\":true,\"fetch_userinfo\":true,\"introspect_access_token\":false,\"authorization_token\":\"id_token\"},\"assertions\":{\"exp\":true,\"nbf\":false,\"iss\":true,\"userinfo\":[],\"id_token\":[]},\"cookie\":{\"domain\":\"k8s.dimension.ws\",\"name\":\"_eas_oauth_session\",\"path\":\"/\"},\"custom_service_headers\":{\"X-Id-Token\":{\"source\":\"id_token\",\"query_engine\":\"jp\"}},\"pcb\":{}}}}"}
{"service":"external-auth-server","level":"info","message":"end verify pipeline with status: 302"}
{"service":"external-auth-server","level":"silly","message":"verify request details: {\"url\":\"/ambassador/verify-params-url/%7B%22config_token%22%3A%22732h5VnooKEmKpurIMxZduH3yBijUlAs2V18%2BF0eop17zkpKVdl%2FwO8%2B3Crcf0Fymm1D5fhGKS%2FvbARSIm%2FeeOfj5WGUk0M9614D9vzqyAsLiaHx37M%2BMooY2OZad%2FV5QMokIG4uBMOAmJLqav%2FVpF%2Bg2SwjZFfJP4fc%2FiSmOgbKO5qL7D5mvQtOZLaKpAdofpU79lplF8W8lF9DwAkmQfHIpLxZDaIFdzyjhVlqlVbumFN6n%2BDGxZGpbbR6btkukZIMjIL00ywPDCycIv4ovL7XF2CyoCaUH8tFGjRtZrFwrvtyAxa4CZWdyjAsFaMdLfuA4XaCWsq69luRhdzFlHVmCctZ9NhvrOONuytmGAQVx%2BFsROIYOQRhLYbjPdfHgJeZQrlhybysuXQ11ljfnBlUbnfrkGjnHcQhJuiIHvapv3brZYcmT5FrNhfdgb0uPFojAZEl92xqMpN8qhxsrFBRjwCdHwxCTBUOxS8ciiKcU5JFmXPCF9B0SX%2B2QNTjCZ47R1NkimXw9hH4I9dx3QHOyZQxoaseYUEDRinw85K9WepmaeduUyFd6NJcCtvVSJhiwPkdBH4H%2FNFeWaBjQKLQ980SJu1ruc48l5D7PjLoZTf6ZMC%2Boia54EFATUR%2F7LndExUvBoGAArtDyjcy5cLLJW97u9Sku7W75j9pTmErtkWhD%2Fm7YHSGxrsZKneJQuOF00NRy6UItj4zirfqzYkMEuDM3%2F5I6wIWBhi1VCq%2FuajTM%2FJ2UjfLwbW%2FdyQeOzrHNln1yjuDqWUNrU9EH%2Bxsi2eMxL2TRG4XCSUgwOLNSrGsQhWgvbRsqL7mq%2BRnVtZccjDxzUWpuZfXaPYIZkwHZIesl7CdUCX4yHUYcR3zhpXu4Pj7F%2BJmYRO%2FxzPwQ6QWP%2BTMMELInrYKMy39T%2Fhbt%2FnV0OYLBtIOIOhAUcb722q24AAxQWd4DIeyiVobucaFmq0xyiB30yieLbJa9q4VB46BI3yhxLkXe3Ciya5W%2F8qzgZfVvIJNh2Gf8SD5LcCwRhcSrHYMLwRf%2FY1L%2BQ%2BWrs%2BHLpy75xoFSy9oneHCJgJ8YLfp7GxGIZsixNgc%2FRVZuh4hsN9XlPLtsfSctV8oV7nWkQlo%2FH1wBtSUzTFP9Rp1MjQmqIYUnwHihUUCUt0558d7Nvgwdi9wfsGSr85XG7jp7ZpzAJYWHrTweI8C7ra3AgcAYFd6iLDO9S1HPrKyprUkfnI%2BNfbRDzGjN%2BCj6sVKTAHUY%2Fh54Fte8MkRX%2FJ6v1s0ZckSDzjbpc69%2BKuvHGgxW4%2FgPai%2FDnHNFwk1ZAk%2FtxpivBMZSkZBLC5qG0XkeUeFQ8sk64ywgDY%2BQrNznTX98vWQ43EIeVfGDuzLs14dLcSUi8iukN3c7t6LpJtHnWnTYOUKy%2BVQslvAlJowPD7Obg0Okte6uwDM4ymCvVUkr7nyQC9KMgdKf5GJEoHv%2BTgVKQmhk%2FnGVkEElWhBOG9vMm6gM5HJfxJakQ%3D%3D%22%2C%22fallback_plugin%22%3A0%7D/oauth/callback?__eas_oauth_handler__=authorization_callback&code=307c8af133516c5900613975d11e56cfbd3aa61b3ab187e8d96ad7ed21b7f9f2&scope=openid%20email%20profile&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888&session_state=jiXqo3-1aodKt0aIgQv335QLSnPiMVerDVxAnUasaVw.5b0456c0d6d8898f0d2933a9e1099c48\",\"params\":{\"0\":\"oauth/callback\",\"verify_params\":\"{\\\"config_token\\\":\\\"732h5VnooKEmKpurIMxZduH3yBijUlAs2V18+F0eop17zkpKVdl/wO8+3Crcf0Fymm1D5fhGKS/vbARSIm/eeOfj5WGUk0M9614D9vzqyAsLiaHx37M+MooY2OZad/V5QMokIG4uBMOAmJLqav/VpF+g2SwjZFfJP4fc/iSmOgbKO5qL7D5mvQtOZLaKpAdofpU79lplF8W8lF9DwAkmQfHIpLxZDaIFdzyjhVlqlVbumFN6n+DGxZGpbbR6btkukZIMjIL00ywPDCycIv4ovL7XF2CyoCaUH8tFGjRtZrFwrvtyAxa4CZWdyjAsFaMdLfuA4XaCWsq69luRhdzFlHVmCctZ9NhvrOONuytmGAQVx+FsROIYOQRhLYbjPdfHgJeZQrlhybysuXQ11ljfnBlUbnfrkGjnHcQhJuiIHvapv3brZYcmT5FrNhfdgb0uPFojAZEl92xqMpN8qhxsrFBRjwCdHwxCTBUOxS8ciiKcU5JFmXPCF9B0SX+2QNTjCZ47R1NkimXw9hH4I9dx3QHOyZQxoaseYUEDRinw85K9WepmaeduUyFd6NJcCtvVSJhiwPkdBH4H/NFeWaBjQKLQ980SJu1ruc48l5D7PjLoZTf6ZMC+oia54EFATUR/7LndExUvBoGAArtDyjcy5cLLJW97u9Sku7W75j9pTmErtkWhD/m7YHSGxrsZKneJQuOF00NRy6UItj4zirfqzYkMEuDM3/5I6wIWBhi1VCq/uajTM/J2UjfLwbW/dyQeOzrHNln1yjuDqWUNrU9EH+xsi2eMxL2TRG4XCSUgwOLNSrGsQhWgvbRsqL7mq+RnVtZccjDxzUWpuZfXaPYIZkwHZIesl7CdUCX4yHUYcR3zhpXu4Pj7F+JmYRO/xzPwQ6QWP+TMMELInrYKMy39T/hbt/nV0OYLBtIOIOhAUcb722q24AAxQWd4DIeyiVobucaFmq0xyiB30yieLbJa9q4VB46BI3yhxLkXe3Ciya5W/8qzgZfVvIJNh2Gf8SD5LcCwRhcSrHYMLwRf/Y1L+Q+Wrs+HLpy75xoFSy9oneHCJgJ8YLfp7GxGIZsixNgc/RVZuh4hsN9XlPLtsfSctV8oV7nWkQlo/H1wBtSUzTFP9Rp1MjQmqIYUnwHihUUCUt0558d7Nvgwdi9wfsGSr85XG7jp7ZpzAJYWHrTweI8C7ra3AgcAYFd6iLDO9S1HPrKyprUkfnI+NfbRDzGjN+Cj6sVKTAHUY/h54Fte8MkRX/J6v1s0ZckSDzjbpc69+KuvHGgxW4/gPai/DnHNFwk1ZAk/txpivBMZSkZBLC5qG0XkeUeFQ8sk64ywgDY+QrNznTX98vWQ43EIeVfGDuzLs14dLcSUi8iukN3c7t6LpJtHnWnTYOUKy+VQslvAlJowPD7Obg0Okte6uwDM4ymCvVUkr7nyQC9KMgdKf5GJEoHv+TgVKQmhk/nGVkEElWhBOG9vMm6gM5HJfxJakQ==\\\",\\\"fallback_plugin\\\":0}\"},\"query\":{\"__eas_oauth_handler__\":\"authorization_callback\",\"code\":\"307c8af133516c5900613975d11e56cfbd3aa61b3ab187e8d96ad7ed21b7f9f2\",\"scope\":\"openid email profile\",\"state\":\"05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888\",\"session_state\":\"jiXqo3-1aodKt0aIgQv335QLSnPiMVerDVxAnUasaVw.5b0456c0d6d8898f0d2933a9e1099c48\"},\"http_method\":\"GET\",\"http_version\":\"1.1\",\"headers\":{\"host\":\"istio-eas.hal24k.nl\",\"content-length\":\"0\",\"x-forwarded-for\":\"10.42.1.44\",\"x-envoy-expected-rq-timeout-ms\":\"10000\",\"x-forwarded-proto\":\"https\",\"x-envoy-internal\":\"true\",\"x-request-id\":\"68800f09-573c-4249-8aa1-32f01e897934\",\"x-forwarded-client-cert\":\"By=spiffe://cluster.local/ns/external-auth-server/sa/default;Hash=55c3bc6c199420dcb8f53e6a854e1617329b848e0f0ec28c7cf006922c8f5a15;Subject=\\\"\\\";URI=spiffe://cluster.local/ns/istio-ingress/sa/istio-ingressgateway-service-account\",\"x-b3-traceid\":\"186660206c294bccbdda91e4ca259c34\",\"x-b3-spanid\":\"bdda91e4ca259c34\",\"x-b3-sampled\":\"0\",\"x-forwarded-uri\":\"/oauth/callback?__eas_oauth_handler__=authorization_callback&code=307c8af133516c5900613975d11e56cfbd3aa61b3ab187e8d96ad7ed21b7f9f2&scope=openid%20email%20profile&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888&session_state=jiXqo3-1aodKt0aIgQv335QLSnPiMVerDVxAnUasaVw.5b0456c0d6d8898f0d2933a9e1099c48\"},\"body\":{}}"}
{"message":"starting verify pipeline","level":"info","service":"external-auth-server"}
{"service":"external-auth-server","level":"silly","message":"verify params: {\"config_token\":\"732h5VnooKEmKpurIMxZduH3yBijUlAs2V18+F0eop17zkpKVdl/wO8+3Crcf0Fymm1D5fhGKS/vbARSIm/eeOfj5WGUk0M9614D9vzqyAsLiaHx37M+MooY2OZad/V5QMokIG4uBMOAmJLqav/VpF+g2SwjZFfJP4fc/iSmOgbKO5qL7D5mvQtOZLaKpAdofpU79lplF8W8lF9DwAkmQfHIpLxZDaIFdzyjhVlqlVbumFN6n+DGxZGpbbR6btkukZIMjIL00ywPDCycIv4ovL7XF2CyoCaUH8tFGjRtZrFwrvtyAxa4CZWdyjAsFaMdLfuA4XaCWsq69luRhdzFlHVmCctZ9NhvrOONuytmGAQVx+FsROIYOQRhLYbjPdfHgJeZQrlhybysuXQ11ljfnBlUbnfrkGjnHcQhJuiIHvapv3brZYcmT5FrNhfdgb0uPFojAZEl92xqMpN8qhxsrFBRjwCdHwxCTBUOxS8ciiKcU5JFmXPCF9B0SX+2QNTjCZ47R1NkimXw9hH4I9dx3QHOyZQxoaseYUEDRinw85K9WepmaeduUyFd6NJcCtvVSJhiwPkdBH4H/NFeWaBjQKLQ980SJu1ruc48l5D7PjLoZTf6ZMC+oia54EFATUR/7LndExUvBoGAArtDyjcy5cLLJW97u9Sku7W75j9pTmErtkWhD/m7YHSGxrsZKneJQuOF00NRy6UItj4zirfqzYkMEuDM3/5I6wIWBhi1VCq/uajTM/J2UjfLwbW/dyQeOzrHNln1yjuDqWUNrU9EH+xsi2eMxL2TRG4XCSUgwOLNSrGsQhWgvbRsqL7mq+RnVtZccjDxzUWpuZfXaPYIZkwHZIesl7CdUCX4yHUYcR3zhpXu4Pj7F+JmYRO/xzPwQ6QWP+TMMELInrYKMy39T/hbt/nV0OYLBtIOIOhAUcb722q24AAxQWd4DIeyiVobucaFmq0xyiB30yieLbJa9q4VB46BI3yhxLkXe3Ciya5W/8qzgZfVvIJNh2Gf8SD5LcCwRhcSrHYMLwRf/Y1L+Q+Wrs+HLpy75xoFSy9oneHCJgJ8YLfp7GxGIZsixNgc/RVZuh4hsN9XlPLtsfSctV8oV7nWkQlo/H1wBtSUzTFP9Rp1MjQmqIYUnwHihUUCUt0558d7Nvgwdi9wfsGSr85XG7jp7ZpzAJYWHrTweI8C7ra3AgcAYFd6iLDO9S1HPrKyprUkfnI+NfbRDzGjN+Cj6sVKTAHUY/h54Fte8MkRX/J6v1s0ZckSDzjbpc69+KuvHGgxW4/gPai/DnHNFwk1ZAk/txpivBMZSkZBLC5qG0XkeUeFQ8sk64ywgDY+QrNznTX98vWQ43EIeVfGDuzLs14dLcSUi8iukN3c7t6LpJtHnWnTYOUKy+VQslvAlJowPD7Obg0Okte6uwDM4ymCvVUkr7nyQC9KMgdKf5GJEoHv+TgVKQmhk/nGVkEElWhBOG9vMm6gM5HJfxJakQ==\",\"fallback_plugin\":0}"}
{"service":"external-auth-server","level":"debug","message":"config token: {\"eas\":{\"plugins\":[{\"type\":\"oidc\",\"issuer\":{\"discover_url\":\"https://haldev-oauth.dimension.ws/.well-known/openid-configuration\"},\"client\":{\"client_id\":\"k8s_ambassador\",\"client_secret\":\"secret\"},\"scopes\":[\"openid\",\"email\",\"profile\"],\"redirect_uri\":\"https://istio-eas.hal24k.nl/oauth/callback\",\"features\":{\"cookie_expiry\":false,\"userinfo_expiry\":true,\"session_expiry\":true,\"session_expiry_refresh_window\":86400,\"session_retain_id\":true,\"refresh_access_token\":true,\"fetch_userinfo\":true,\"introspect_access_token\":false,\"authorization_token\":\"id_token\"},\"assertions\":{\"exp\":true,\"nbf\":false,\"iss\":true,\"userinfo\":[],\"id_token\":[]},\"cookie\":{\"domain\":\"k8s.dimension.ws\"},\"custom_service_headers\":{\"X-Id-Token\":{\"source\":\"id_token\",\"query_engine\":\"jp\"}}}]},\"iat\":1565096214,\"audMD5\":\"0ceafe0126c0331b87524e5d10f44e40\"}"}
{"service":"external-auth-server","level":"info","message":"starting verify for plugin: oidc"}
{"service":"external-auth-server","level":"verbose","message":"parent request info: {\"uri\":\"https://istio-eas.hal24k.nl/oauth/callback?__eas_oauth_handler__=authorization_callback&code=307c8af133516c5900613975d11e56cfbd3aa61b3ab187e8d96ad7ed21b7f9f2&scope=openid%20email%20profile&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888&session_state=jiXqo3-1aodKt0aIgQv335QLSnPiMVerDVxAnUasaVw.5b0456c0d6d8898f0d2933a9e1099c48\",\"parsedUri\":{\"scheme\":\"https\",\"host\":\"istio-eas.hal24k.nl\",\"path\":\"/oauth/callback\",\"query\":\"__eas_oauth_handler__=authorization_callback&code=307c8af133516c5900613975d11e56cfbd3aa61b3ab187e8d96ad7ed21b7f9f2&scope=openid%20email%20profile&state=05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888&session_state=jiXqo3-1aodKt0aIgQv335QLSnPiMVerDVxAnUasaVw.5b0456c0d6d8898f0d2933a9e1099c48\",\"reference\":\"absolute\"},\"parsedQuery\":{\"__eas_oauth_handler__\":\"authorization_callback\",\"code\":\"307c8af133516c5900613975d11e56cfbd3aa61b3ab187e8d96ad7ed21b7f9f2\",\"scope\":\"openid email profile\",\"session_state\":\"jiXqo3-1aodKt0aIgQv335QLSnPiMVerDVxAnUasaVw.5b0456c0d6d8898f0d2933a9e1099c48\",\"state\":\"05ee47f92a8f54c2bbdacefeab9691d14b5b2c1b80d2e8ddeeac5f0267f9ad62e4551aa461587aeaf85b295cd8cd6b639a6c8451f78e843daaab3419cf106cbceb65188233e701b5b8eeff5c14e6832b3add3ee449d580f21f337683155a67d848a0b92d235558c369ab4cc698cdce5520b849af786b6df6fd1d6320a83afae3ae622fe344f4ca09460ebc1f4e9763869fe40a3d701cbe78cd0a67042d3cb4a4d455b605bf2736610bd9dd1b0422259cbc98e7d76a9c710956c4e58cf732bfa383f7fe4fb34f91deba5f5a8eba6c608e6a5d67c2a380509730762550e5b82e189b3756e000418400d0938b8825b0c7c89f6825c36f15e3c85ee5db2c7456867d21bf1dd61a902b875eabbb95792799c3cb48d49bb57af8ab90c15c10207a605a89c196f9fa87f6cb60b1eab59faac2f36ca59497a578f14fef52268a2eb62888\"}}"}
{"service":"external-auth-server","level":"verbose","message":"audMD5: 0ceafe0126c0331b87524e5d10f44e40"}
{"service":"external-auth-server","level":"verbose","message":"cooking name: _eas_oauth_session"}
{"service":"external-auth-server","level":"verbose","message":"decoded state: {\"request_uri\":\"https://bookinfo.dev.k8s.dimension.ws/productpage\",\"aud\":\"0ceafe0126c0331b87524e5d10f44e40\",\"csrf\":\"b6db5004-6227-43e5-b293-ca20400a26e2\",\"iat\":1565099335}"}
{"service":"external-auth-server","level":"verbose","message":"audMD5: 0ceafe0126c0331b87524e5d10f44e40"}
{"service":"external-auth-server","level":"verbose","message":"cooking name: _eas_oauth_session"}
{"service":"external-auth-server","level":"debug","message":"plugin response {\"statusCode\":503,\"statusMessage\":\"\",\"body\":\"\",\"cookies\":[],\"clearCookies\":[],\"headers\":{},\"authenticationData\":{},\"plugin\":{\"server\":{},\"config\":{\"type\":\"oidc\",\"issuer\":{\"discover_url\":\"https://haldev-oauth.dimension.ws/.well-known/openid-configuration\"},\"client\":{\"client_id\":\"k8s_ambassador\",\"client_secret\":\"secret\"},\"scopes\":[\"openid\",\"email\",\"profile\"],\"redirect_uri\":\"https://istio-eas.hal24k.nl/oauth/callback\",\"features\":{\"cookie_expiry\":false,\"userinfo_expiry\":true,\"session_expiry\":true,\"session_expiry_refresh_window\":86400,\"session_retain_id\":true,\"refresh_access_token\":true,\"fetch_userinfo\":true,\"introspect_access_token\":false,\"authorization_token\":\"id_token\"},\"assertions\":{\"exp\":true,\"nbf\":false,\"iss\":true,\"userinfo\":[],\"id_token\":[]},\"cookie\":{\"domain\":\"k8s.dimension.ws\",\"name\":\"_eas_oauth_session\",\"path\":\"/\"},\"custom_service_headers\":{\"X-Id-Token\":{\"source\":\"id_token\",\"query_engine\":\"jp\"}},\"pcb\":{}}}}"}
{"service":"external-auth-server","level":"info","message":"end verify pipeline with status: 503"}

[travisghansen]

Hmm, that's not providing much feedback is it :( I'll have to dig through the code and look for cases where we explicitly send 503 otherwise I've got something that isn't defensive enough.

[travisghansen]

I'll add more debug code it there but it appears you're missing the csrf cookie. I'm not sure however why you would be missing that..

[mlushpenko]

Not much feedback indeed. Depending if we were putting original application behind http or https, we were also hitting infinite redirection loop and my colleague also thought it may be related to cookies, more specifically to cookie domain but I really don't know - worked fine with ambassador.

[travisghansen]

Do you have to explicitly allow the cookie header to be passed down with istio? Can you send the output that includes all the headers etc to review?

[mlushpenko]

I will try again maybe tomorrow and send all logs I can find. But we have spent quite some time on this and have some setup working, so can't guarantee, although using eas would be preferrable as it is supported versus our quick hack.

[travisghansen]

Sounds good, thanks for all the feedback!

[mlushpenko]

Sorry, I am already busy with other stuff, if something changes I will come back with more updates or perhaps you will test it on istio yourself by then.

[travisghansen]

Ok, I'm going to snap another release this week actually. I have 0 experience with istio but my understanding is it's for traffic within the cluster (east/west) vs external traffic coming in (north/south).

In that vein it seems counter intuitive to use oidc in a service mesh so any clues you can provide to your setup would be great. If I have time I'll poke around with it and see what I can figure out.

Thanks!

[mlushpenko]

That's correct, the only thing since some release ago they also provided they own ingress for north/sourth traffic, so we added EnvoyFilter. It's quite a bit to set up, but overall steps:

1. Install istio with istio ingressgateway (default installation steps will do that)
2. Handle tls for ingress in some way as OIDC needs to call back to https in most cases (file mount or secret discovery
3. Deploy eas and expose it like I described here
4. Create EnvoyFilter which will point to eas like here
5. Expose some app on the same port as EnvoyFilter via Gateway resource, similar to step 3.

Basically, if EnvoyFilter has listenre on port 80:

listenerMatch:
      listenerProtocol: HTTP
      listenerType: GATEWAY
      portNumber: 80

and you have Gateway on port 80:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: http-gateway
  namespace: istio-ingress
spec:
  selector:
    istio: ingressgateway
  servers:
  - hosts:
    - demo.example.com
    port:
      name: http-demo
      number: 80
      protocol: HTTP

Then, any service refferring to this gateway will be protected by external auth service (notice istio-ingress/http-gateway and demo.example.com which has to match with Gateway host), eas in this case:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: demo
  namespace: demo
spec:
  gateways:
  - istio-ingress/http-gateway
  hosts:
  - demo.example.com
  http:
  - route:
    - destination:
        host: demo.default.svc.cluster.local
        port:
          number: 80

And if this works (that's where we were getting 503 from OIDC plugin), then we used token claims and more istio-specific RBAC rules to separate tenants and users

[travisghansen]

Ok thanks for the background info. I'll see what I can figure out!

[mlushpenko]

Please drop a line if you manage to get it working with Istio. We got some extra requirements and now end up with auth proxy per tenant/per app as our proxy doesn't support multiple client IDs. So, a single instance of eas with multiple clients would be pretty great if it works :)

[travisghansen]

Working on a few updates now...gonna try and get istio up and going in a test cluster.

[mlushpenko]

Thanks for the effort, ping me if I can help - understanding Istio took some time and I am still not super comfortable I guess but better than before.

[travisghansen]

Yeah sure, just prepping my test cluster. Been working on a few other items with the project so far and got those wrapped up. Moving to this and ambassador now (ie: envoy)..

[travisghansen]

Do you by chance know how to create a cluster manually with istio? ie: pointing to something external to kubernetes for example

[mlushpenko]

I am not sure what you mean. By default, you can talk to the outside endpoints. Only if you restrict outside connections you may have to specify extra rules like here to allow access to external services.

[travisghansen]

Yes, but configuration of the authz plugin requires a cluster. Looking at the resultant file from ambassador it creates an arbitrary cluster with whatever ip/port you put in the configuration of the AuthService. As I want to point to my development machine while debugging this seems to be the easiest approach although there are others..

[mlushpenko]

Ah, now I see, I don't know, I didn't even dive into cluster syntax much, just figured it's service port and name and used that. I've never used this tool, but maybe you fancy trying it :) https://www.telepresence.io/ - basically for debugging apps running on k8s but using your local connections if I remember right

[mlushpenko]

Just looked at their demo - you expose your local server inside kubernetes, so I guess it will cover your use-case pretty well

[mlushpenko]

I'd like to thank you in some way, I checked https://github.com/sponsors maybe you want to join? Or send me some payment request for dinner :)

[travisghansen]

emissary-ingress/emissary#1211

[travisghansen]

Nice! Glad it's working now. You really made me think on that one :) thanks for the offer of support but I'll respectfully decline but accept any contributions you make to the project ;)

As an FYI, I'm deprecating the /ambassador endpoint in favor of /envoy. I'll make a release throwing a warning first and then remove it altogether in the following release.

I'm also going to test headers_to_add with the filter in istio to confirm its functionality. If so I'll make sure it works with the existing code.

Lastly, regarding the set cookie issue I'm guessing istio is using an older version of envoy maybe?

Thanks for the assistance getting this one going! Envoy support is pretty great feature addition!

[mlushpenko]

I feel quite stupid, but while trying to setup server-side tokens, I realised that we still have to specify token id in pathPrefix, so even though it's working now, we still need one instance of eas for each pair of client credentials.

Will you add this part as well or shall we stick to our fork for now? comment out the deletion of the csrf header as it already expires

[travisghansen]

I'm commenting it for now. I may add an option to control it eventually if needed.

For some reason I thought you were going to add pcb rules to isolate clients in a single token. You'd end up with a huge token though with any number of clients.

Can you remind me of the goal/approach you're taking and I'll see if I can think of anything that may help. With istio isn't it possible to apply the filter a little more directly so you can alter the prefix per service?

Regardless you shouldn't need multiple installs of eas itself but perhaps several tokens (ie: token per service).

[travisghansen]

I've confirmed this behavior works FYI:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: auth-filter
#  namespace: istio-ingress
spec:
  filters:
  - filterConfig:
      failure_mode_allow: false
      httpService:
        authorizationRequest:
          allowedHeaders:
            patterns:
            - exact: cookie
            - exact: X-Forwarded-Host
            - exact: X-Forwarded-Method
            - exact: X-Forwarded-Proto
            - exact: X-Forwarded-Uri
          headers_to_add:
            - key: "x-eas-verify-params"
              value: '{"config_token_store_id":"dep_a","config_token_id":"verysecure"}'
#        pathPrefix: /envoy/verify-params-url/%7B%22config_token_store_id%22%3A%22dep_a%22%2C%22config_token_id%22%3A%22verysecure%22%7D
        pathPrefix: /envoy/verify-params-header
        serverUri:
          cluster: outbound|80||eas.default.svc.cluster.local
          timeout: 10s
          uri: http://eas.default.svc.cluster.local
      statusOnError:
        code: Forbidden
      withRequestBody:
        allowPartialMessage: true
        maxRequestBytes: 4096
    filterName: envoy.ext_authz
    filterType: HTTP
    insertPosition:
      index: FIRST
    listenerMatch:
      listenerProtocol: HTTP
      listenerType: GATEWAY
      portNumber: 80
  workloadLabels:
    istio: ingressgateway

This example happens to be using a server-side token, but when using a full config_token with envoy it would be much more readable and also not adding to the potentially giant URL strings making it less likely to hit URL length limits.

[mlushpenko]

So, we want multi-tenant, multi-user, multi-application separation =D. When I go to url tenant1.hal24k.nl istio will redirect me specific namespace where we have multiple instances of the same application and each of them belongs to specific user. So, using istio RBAC rules via inspecting id_token claims we will allow or deny access.

More specifically the flow is:

1. User hist ingress url like application.tenant1.hal24k.nl
2. Istio redirects request to specific application service in tenant1 namespace by matching host
3. EnvoyFilter gets invoked for all application instances in that namespace end enforces authentication with specific OIDC client for tenant1 by redirecting to eas
4. eas performs authentication with identityprovider and injects x-id-token header
5. Istio end-user authentication gets invoked with x-id-token to propagate it to the istio RBAC
6. Istio servicerolebinding (RBAC) is used to inspect claims in x-id-token and grant or deny access to the application

So, question is, can you somehow specify multiple tokens with this for eas service? '{"config_token_store_id":"dep_a","config_token_id":"verysecure"}'

The approach I tested with pbc was good for multi-tenant setup (ignoring the length of the token) but then all users of the same tenant would be able to acess any application instance, so we needed something more advanced like istio.

[travisghansen]

So at what level do you want config_tokens?

applicationN.tenantX.hal24k.nl

applicationN or tenantX?

And at what level does istio allow you to apply/direct filters?

[mlushpenko]

One client per tenant is what we are aiming for, so tenantX

Filters are tenant-level as well (per namespace).

[mlushpenko]

Maybe good to add - if we deploy one instance of eas per namespace, it will work, but wondering if we can deploy single instance that would be shared between all namespaces.

[travisghansen]

So if the filter is applied at that tenant level what's the issue? Simply specify the token details (either in the URL or in the header per the example I just sent) on the per-tenant filter definition..am I missing something still?

[mlushpenko]

My brain isn't working anymore, for some reason I assumed one filter = one proxy , sorry for confusing you and thanks for pointing it out.

[travisghansen]

LOL I've been there! Yeah so I'll commit my code with the header configuration and then you can use the syntax I mentioned above.

Alternatively, are you using a single oidc provider/instance with the same client_id etc for all tenants? Meaning, is there only ever 1 userN across all tenants? If so, we could get pretty creative with the assertions and have 1 token cover everything.

[mlushpenko]

Nope, we will have client_id per tenant (although started testing with a single client_id). Our old/current setup on VMs has client_id for every application for each tenant and each application was handling OIDC connections by itself. We are trying to optimise on kubernetes.

[travisghansen]

Ok then yeah setting the token on a per tenant filter sounds like the perfect solution. I'll snap a release and you can try it all out!

[mlushpenko]

Do you have example healthy sentinel output? eas can't talk to sentinel, but if I am not mistaken it's due to sentinel not being up:

1:X 19 Aug 2019 16:13:38.568 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1:X 19 Aug 2019 16:13:38.568 # Redis version=5.0.3, bits=64, commit=00000000, modified=0, pid=1, just started
1:X 19 Aug 2019 16:13:38.568 # Configuration loaded
1:X 19 Aug 2019 16:13:38.570 * Running mode=sentinel, port=26379.
1:X 19 Aug 2019 16:13:38.570 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
1:X 19 Aug 2019 16:13:38.570 # Sentinel ID is 98c61faa58b98a6d12fe3062bea9cd2d08c10af3
1:X 19 Aug 2019 16:13:38.570 # +monitor master mymaster 10.43.75.215 6379 quorum 2
1:X 19 Aug 2019 16:13:48.619 # +sdown master mymaster 10.43.75.215 6379

probably some istio issues, will try to drill down tomorrow, but helpful to compare to good output

[travisghansen]

Snapped v0.5.0 and updated latest with features/fixes we've discussed.

[travisghansen]

This is all my redis sentinel logs show:

kubectl -n external-auth-server logs -l "app=redis-ha" --container=sentinel
1:X 16 Jul 2019 03:35:29.259 # Configuration loaded
1:X 16 Jul 2019 03:35:29.261 * Running mode=sentinel, port=26379.
1:X 16 Jul 2019 03:35:29.261 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
1:X 16 Jul 2019 03:35:29.261 # Sentinel ID is 98c61faa58b98a6d12fe3062bea9cd2d08c10af3
1:X 16 Jul 2019 03:35:29.261 # +monitor master mymaster 10.43.239.135 6379 quorum 2
1:X 16 Jul 2019 03:35:29.333 * +sentinel sentinel e001732364d7e4575505f631ee5a08e675244f2a 10.43.21.255 26379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.342 # +new-epoch 8
1:X 16 Jul 2019 03:35:29.817 * +sentinel sentinel 33bc83e67da7853a8763870786ed45f81a886c44 10.43.118.61 26379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:39.314 * +slave slave 10.43.21.255:6379 10.43.21.255 6379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:39.318 * +slave slave 10.43.118.61:6379 10.43.118.61 6379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:33:16.393 # +elected-leader master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:33:16.393 # +failover-state-select-slave master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:33:16.451 # -failover-abort-no-good-slave master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:33:16.534 # Next failover delay: I will not start a failover before Tue Jul 16 03:39:17 2019
1:X 16 Jul 2019 03:35:29.328 * +reboot master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.398 # -sdown master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.398 # -odown master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.399 # -sdown sentinel 98c61faa58b98a6d12fe3062bea9cd2d08c10af3 10.43.239.135 26379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:39.401 * +slave slave 10.43.21.255:6379 10.43.21.255 6379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:39.407 * +slave slave 10.43.118.61:6379 10.43.118.61 6379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:33:16.313 # +new-epoch 8
1:X 16 Jul 2019 03:33:16.320 # +vote-for-leader e001732364d7e4575505f631ee5a08e675244f2a 8
1:X 16 Jul 2019 03:33:17.066 # +odown master mymaster 10.43.239.135 6379 #quorum 2/2
1:X 16 Jul 2019 03:33:17.066 # Next failover delay: I will not start a failover before Tue Jul 16 03:39:17 2019
1:X 16 Jul 2019 03:35:29.817 * +reboot master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.817 * +slave slave 10.43.21.255:6379 10.43.21.255 6379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.876 # -sdown master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.876 # -odown master mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:29.879 # -sdown sentinel 98c61faa58b98a6d12fe3062bea9cd2d08c10af3 10.43.239.135 26379 @ mymaster 10.43.239.135 6379
1:X 16 Jul 2019 03:35:39.881 * +slave slave 10.43.118.61:6379 10.43.118.61 6379 @ mymaster 10.43.239.135 6379

[mlushpenko]

Thanks a lot, I will test tomorrow and report back, have a good evening if you are in the same time zone :) but suspect you are working somewhere in US

[travisghansen]

Yeah, I'm in the Western US :D

[mlushpenko]

Thanks again @travisghansen, everything works fine, redis didn't work due to our default deny rbac policy. Now filter is much cleaner with headers_to_add and server-side token, great work!

[travisghansen]

Nice! Anything left on this issue to address or should we close it down?

[mlushpenko]

I think we can close it, I will open another one if something comes up :)
Thanks again, so far it was the best collaboration on github I was involved in, kudos!

[travisghansen]

Thanks for the support and kind words! I'd love an update after you get more usage out of it.

[mlushpenko]

I am planning to write a blog post, trying to draw a diagram about our set up and describe it a bit later, will share once I am done