I have a Laravel(Lumen) Login API, which generates a JWT using HS256. Then I sent my bearer token to Envoy Gateway and get from Envoy
JWT verification fails
On official JWT decode site I could successfully decode and verify my bearer token. Here I generate my JWT:
{
$payload = [
'iss' => config('app.name'), // Issuer vom Token
'sub' => strval($user->ID), // Subject vom Token
'username' => $user->username,
'iat' => time() - 500, // Time when JWT was issued.
'exp' => time() + config('jwt.ttl'), // Expiration time
'alg' => 'HS256',
'kid' => 'ek4Z9ouLmGnCoezntDXMxUwmjzNTBqptKNkfaqc6Ew8'
];
$secretKey = 'helloworld'; //my base64url
$jwtEnc = JWT::encode($payload, $secretKey, $payload['alg'], $payload['kid']);
return $jwtEnc;
}
Here is my Envoy config:
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
'#type': 'type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager'
stat_prefix: edge
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
provider1:
issuer: 'Lumen'
forward: true
local_jwks:
inline_string: '{"keys": [{"kty": "oct", "use": "sig", "kid": "ek4Z9ouLmGnCoezntDXMxUwmjzNTBqptKNkfaqc6Ew8", "k": "helloworld", "alg": "HS256"}]}' //'k' is here base64url
rules:
- match:
prefix: "/list"
requires:
provider_name: "provider1"
- name: envoy.filters.http.router
route_config:
virtual_hosts:
- name: all_domains
domains: [ "*" ]
routes:
- match:
prefix: "/api"
route:
cluster: loginapi
clusters:
- name: loginapi
connect_timeout: 5s
load_assignment:
cluster_name: loginapi
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 0.0.0.0
port_value: 8080
The token is signed and verified with a symmetric algorithm (HS256).
The key parameters of the symmetric key are provided in form of a JSON Web Key in the local_jwks parameter in the Envoy configuration. The key value itself in the parameter "k" is supposed to be stored in Base64Url format:
The "k" (key value) parameter contains the value of the symmetric (or other single-valued) key. It is represented as the base64url encoding of the octet sequence containing the key value.
(see RFC7518 Section 6.4.1)
Base64Url encoding is used here in order to be able to use binary keys (i.e keys in which every byte can have any value in the full range from 0 to 255) for signing.
When the key is used for signing and verification, it has to be decoded to it's (potentially) binary form.
To stick with the simple example key "helloworld" (of course, just for illustration, not as a real key), this key would have to be stored as "k":"aGVsbG93b3JsZA" (the base64url form of "helloworld") in the inline jwk in the configuration and
used in the not encoded form "helloworld" to sign the token. The receiving side also uses the base64url decoded value of k to verify the signature.
Summary:
create a binary key and base64url encode it
store the encoded key in the "k" parameter of the local_jwks parameter in the Envoy configuration
decode the value of "k" to use it as a key to verify or sign the token
You can use the following website https://base64.guru/standards/base64url/encode to encode base64url.
in "k": tempo-secret base64URL encoded
my working config:
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
provider1:
issuer: 'jwt-issuer'
forward: true
local_jwks:
inline_string: '{"keys":[{"kty":"oct","alg":"HS256","k":"dGVtcG8tc2VjcmV0"}]}'
# from_headers:
# - name: authorization
rules:
- match:
prefix: "/"
requires:
Related
When I try to get JWT token with Symfony 6 / Api-plateform / lexik/jwt-authentication-bundle on the endpoint defined on my route.yaml
authentication_token:
path: /api/login
methods: ['POST']
The return of API is this :
{
"code": 401,
"message": "JWT Token not found"
}
The key was setting in my .env and the file of the key was already created.
security.yaml
main:
stateless: true
provider: app_user_provider
json_login:
check_path: /authentication_token
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
jwt: ~
I have checked if all the config files was present and if the jwt config key and files was created.
The endpoint was created and security.yaml if configured.
I have a Type: AWS::Serverless::HttpApi which I am trying to connect to a Type: AWS::Serverless::StateMachine as a trigger. Meaning the HTTP API would trigger the Step Function state machine.
I can get it working, by only specifying a single input. For example, the DefinitionBody when it works, looks like this:
DefinitionBody:
info:
version: '1.0'
title:
Ref: AWS::StackName
paths:
"/github/secret":
post:
responses:
default:
description: "Default response for POST /"
x-amazon-apigateway-integration:
integrationSubtype: "StepFunctions-StartExecution"
credentials:
Fn::GetAtt: [StepFunctionsApiRole, Arn]
requestParameters:
Input: $request.body
StateMachineArn: !Ref SecretScannerStateMachine
payloadFormatVersion: "1.0"
type: "aws_proxy"
connectionType: "INTERNET"
timeoutInMillis: 30000
openapi: 3.0.1
x-amazon-apigateway-importexport-version: "1.0"
Take note of the following line: Input: $request.body. I am only specifying the $request.body.
However, I need to be able to send the $request.body and $request.header.X-Hub-Signature-256. I need to send BOTH these values to my state machine as an input.
I have tried so many different ways. For example:
Input: " { body: $request.body, header: $request.header.X-Hub-Signature-256 }"
and
$request.body
$request.header.X-Hub-Signature-256
and
Input: $request
I get different errors each time, but this is the main one:
Warnings found during import: Unable to create integration for resource at path 'POST /github/secret': Invalid selection expression specified: Validation Result: warnings : [], errors : [Invalid source: $request specified for destination: Input].
Any help on how to pass multiple values would so be appreciated.
I've got a Envoy Filter in which I add a header to every HTTP request. The header's value comes from API.
Let's assume two configurations of the filter. In the configuration below I added a hardcoded version of my header. It was checked in the logs of my target application and it works.
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: lua-filter
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: ANY
listener:
portNumber: 7123
filterChain:
filter:
name: "envoy.http_connection_manager"
subFilter:
name: "envoy.router"
patch:
operation: INSERT_BEFORE
value:
name: envoy.lua
typed_config:
"#type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
function envoy_on_request(request_handle)
request_handle:headers():add("authorization", "it works!")
end
This time I want to have the header's value coming from my API. Unfortunately, this setup doesn't work and I have no idea why. I have checked the Lua script on my local machine, and the script itself works but as soon as I provide the script to the filter, no header is added.
typed_config:
"#type": "type.googleapis.com/envoy.config.filter.http.lua.v2.Lua"
inlineCode: |
function envoy_on_request(request_handle)
local http = require('socket.http')
local json = require('json')
local ltn12 = require "ltn12"
local reqbody="my request body"
local respbody = {}
local body, code, headers, status = http.request {
method = "POST",
url = "http://my-address",
source = ltn12.source.string(reqbody),
headers =
{
["Accept"] = "*/*",
["Accept-Encoding"] = "gzip, deflate",
["Accept-Language"] = "en-us",
["Content-Type"] = "application/x-www-form-urlencoded",
["content-length"] = string.len(reqbody)
},
sink = ltn12.sink.table(respbody)
}
respbody = table.concat(respbody)
parsed = json.decode(respbody)
token = parsed["token-value"]
request_handle:headers():add("authorization",token)
end
I am trying to do an HTTP call to a REST API using Apama HTTP Client plugin. I am able to send a request to the REST Resource, but while parsing the response, I am getting the below error.
WARN [20176] - Failed to parse the event "`{contentType:application/json,sag.type:apamax.httpserversample.HTTPResponse,http:{headers:{contentLength:50,content-type:application/json,content-length:50},statusCode:200,method:POST,path:/rest/POC_422837/WS/provider/apamaTestConn,cookies:{},statusReason:OK}}{body:{status:Hello Apama. How are you doing?}}"
from httpClient due to the error: Unable to parse event apamax.httpserversample.HTTPResponse:
Unable to parse string from the map '{status:Hello Apama. How are you doing?}':
Invalid datatype, could not cast to string`
The YAML Config file looks as below,
connectivityPlugins:
HTTPClientGenericTransport:
libraryName: connectivity-http-client
class: HTTPClient
startChains:
httpClient:
- apama.eventMap
- mapperCodec:
apamax.httpserversample.HTTPRequest:
towardsTransport:
mapFrom:
- metadata.http.path: payload.path
- metadata.requestId: payload.id
- metadata.http.method: payload.method
- payload: payload.data
defaultValue:
- metadata.contentType: application/json
- metadata.sag.type: HelloWorld
apamax.httpserversample.HTTPResponse:
towardsHost:
mapFrom:
- payload.body: payload
- payload.id: metadata.requestId
apamax.httpserversample.HTTPError:
towardsHost:
mapFrom:
- payload.id: metadata.requestId
- payload.code: metadata.http.statusCode
- payload.message: metadata.http.statusReason
- classifierCodec:
rules:
- apamax.httpserversample.HTTPResponse:
- metadata.http.statusCode: 200
- apamax.httpserversample.HTTPError:
- metadata.http.statusCode:
- jsonCodec:
filterOnContentType: true
- stringCodec
- HTTPClientGenericTransport:
host: ${CORRELATOR_HOST}
port: ${CORRELATOR_PORT}
Please help.
I believe the problem is that you map in the config
apamax.httpserversample.HTTPResponse:
towardsHost:
mapFrom:
- payload.body: payload
- payload.id: metadata.requestId
the payload of the response to HTTPResponse.body.
However, as you can see from the warning, the payload is actually a map, so you need to do
- payload.body: payload.status
I'm working on symfony 3 project , I have a bundle for Admin dashboard and I want to create another bundle for a rest API , the main route for the dashboard is : evaluation.dev/app_dev.php/ , for the API bundle i defined a route with fosrestBundle like that : evaluation.dev/app_dev.php/api/ .
The route for the api work well but the main rout for my admin panel does not work anymore and show me an internal server error. can any one give some help ? I think I should change some thing on the configuration or routing file.
This is my routing.yml file :
fos_user_security:
resource: "#FOSUserBundle/Resources/config/routing/security.xml"
fos_user_profile:
resource: "#FOSUserBundle/Resources/config/routing/profile.xml"
prefix: /profile
fos_user_register:
resource: "#FOSUserBundle/Resources/config/routing/registration.xml"
prefix: /register
fos_user_resetting:
resource: "#FOSUserBundle/Resources/config/routing/resetting.xml"
prefix: /resetting
fos_user_change_password:
resource: "#FOSUserBundle/Resources/config/routing/change_password.xml"
prefix: /profile
fos_js_routing:
resource: "#FOSJsRoutingBundle/Resources/config/routing/routing.xml"
eval:
resource: "#EvalBundle/Controller/"
type: annotation
prefix: /
app:
resource: '#AppBundle/Controller/'
type: annotation
api:
resource: "#APIBundle/Controller/"
type: annotation
prefix: /api
here is my config.yml file :
imports:
- { resource: parameters.yml }
- { resource: security.yml }
- { resource: services.yml }
- { resource: "#EvalBundle/Resources/config/services.yml" }
- { resource: "#EvalBundle/Resources/config/entities.yml" }
# Put parameters here that don't need to change on each machine where the app is deployed
# http://symfony.com/doc/current/best_practices/configuration.html#application-related-configuration
parameters:
locale: en
assetic:
debug: '%kernel.debug%'
use_controller: '%kernel.debug%'
filters:
cssrewrite: ~
framework:
#esi: ~
#translator: { fallbacks: ['%locale%'] }
secret: '%secret%'
router:
resource: '%kernel.root_dir%/config/routing.yml'
strict_requirements: ~
form: ~
csrf_protection: ~
validation: { enable_annotations: true }
#serializer: { enable_annotations: true }
templating:
engines: ['twig']
default_locale: '%locale%'
trusted_hosts: ~
trusted_proxies: ~
session:
# http://symfony.com/doc/current/reference/configuration/framework.html#handler-id
handler_id: session.handler.native_file
save_path: "%kernel.root_dir%/../var/sessions/%kernel.environment%"
fragments: ~
http_method_override: true
assets: ~
php_errors:
log: true
translator: ~
serializer:
enabled: true
# Twig Configuration
twig:
debug: '%kernel.debug%'
strict_variables: '%kernel.debug%'
cache: false
form_themes :
- bootstrap_3_layout.html.twig
- bootstrap_3_horizontal_layout.html.twig
# Doctrine Configuration
doctrine:
dbal:
driver: pdo_mysql
host: '%database_host%'
port: '%database_port%'
dbname: '%database_name%'
user: '%database_user%'
password: '%database_password%'
charset: UTF8
mapping_types:
enum: string
# if using pdo_sqlite as your database driver:
# 1. add the path in parameters.yml
# e.g. database_path: "%kernel.root_dir%/../var/data/data.sqlite"
# 2. Uncomment database_path in parameters.yml.dist
# 3. Uncomment next line:
#path: '%database_path%'
orm:
auto_generate_proxy_classes: '%kernel.debug%'
naming_strategy: doctrine.orm.naming_strategy.underscore
auto_mapping: true
# Swiftmailer Configuration
swiftmailer:
transport: '%mailer_transport%'
host: '%mailer_host%'
username: '%mailer_user%'
password: '%mailer_password%'
spool: { type: memory }
fos_user:
db_driver: orm # other valid values are 'mongodb', 'couchdb' and 'propel'
firewall_name: main
user_class: EvalBundle\Entity\Collaborator
from_email:
address: amer.ff19#gmail.com
sender_name: amer ff
knp_paginator:
page_range: 1 # default page range used in pagination control
default_options:
page_name: page # page query parameter name
sort_field_name: sort # sort field query parameter name
sort_direction_name: direction # sort direction query parameter name
distinct: true # ensure distinct results, useful when ORM queries are using GROUP BY statements
template:
pagination: 'KnpPaginatorBundle:Pagination:twitter_bootstrap_v3_pagination.html.twig' # sliding pagination controls template
sortable: 'KnpPaginatorBundle:Pagination:sortable_link.html.twig' # sort link template
fos_rest:
routing_loader:
include_format: false
view:
view_response_listener: true
format_listener:
rules:
- { path: '^/', priorities: ['json'], fallback_format: 'json' }