Skip to content

jwt_authn: fix a bug where JWT with wrong issuer is allowed in allow_missing case#303

Merged
istio-testing merged 3 commits intoistio:release-1.9from
myidpt:jwt_fix
Feb 26, 2021
Merged

jwt_authn: fix a bug where JWT with wrong issuer is allowed in allow_missing case#303
istio-testing merged 3 commits intoistio:release-1.9from
myidpt:jwt_fix

Conversation

@myidpt
Copy link

@myidpt myidpt commented Feb 26, 2021
edited
Loading

When allow_missing is used inside RequiresAny, the requests with JWT with wrong issuer are accepted. This is a bug, allow_missing should only allow requests without any JWT.

This change fixed the above issue by preserving JwtUnknownIssuer in allow_missing case.

Change details:

JwtUnkownIssuer error got converted to JwtMissing in error aggregation inside VerifyAny object. This is the root cause. Such conversion is not needed.
Fix is to preserve JwtUknownIssuer in the error aggregation.
Risk Level: Low
Testing: unit-tested
Docs Changes: N/A
Release Notes: Yes

Cherrypick: envoyproxy#15199

@google-cla google-cla bot added the cla: yes label Feb 26, 2021
@myidpt myidpt requested a review from jacob-delgado February 26, 2021 18:32
@bianpengyuan
Copy link

bianpengyuan commented Feb 26, 2021

@jacob-delgado I think normally we just do a batched backport of envoy fixes, since branches are 1:1 mapping now.

@istio-testing istio-testing merged commit 5d9cc99 into istio:release-1.9 Feb 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jacob-delgado jacob-delgado jacob-delgado approved these changes

Assignees

No one assigned

Labels

cla: yes size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@myidpt @bianpengyuan @jacob-delgado @istio-testing