Comments (14)
qiwzhang
commented on June 29, 2024
1
Thanks. @tazjin We will use this to update our doc. Hi @liminw Could you help to fix this?
from esp.
tazjin
commented on June 29, 2024
I've tried some more debugging by changing values in the JWT manually (hoping to proceed to a time or signature error).
This is in fact caused by nbf = 0, which should be a valid value (epoch 0 is most definitely in the past!)
from esp.
qiwzhang
commented on June 29, 2024
@liminw @lizan Since ESP is using gRPC library for JWT checking. This could be an issue in the gRPC code. Could you confirm it?
from esp.
liminw
commented on June 29, 2024
The check is indeed in gRPC. @tazjin has done a great job debugging to find out the cause.
This is expected behavior. That is, the claims, "exp", "iat", "nbf", if provided, must contain valid values, which is the number of seconds since Epoch.
from esp.
qiwzhang
commented on June 29, 2024
nbf = 0 is not supported. @tazjin should I close the issue?
from esp.
tazjin
commented on June 29, 2024
@qiwzhang That is up to you. We will be able to find an alternative to using Endpoints, but you may want to consider documenting this.
It's unclear from @liminw's response what the chosen "cutoff time" for nbf values is - can they not be in the past at all? Can they be 1 hour, 1 week ago? 10 years ago?
Whatever you chose, this discrepancy from the spec (which does not constrain the set of valid values) should be documented on this page.
from esp.
lizan
commented on June 29, 2024
I feel the nbf = 0 should pass the check. @tazjin is the JWT signed by
services yourself or some common 3rd party issuer?
…On Fri, Nov 10, 2017 at 2:17 PM, Wayne Zhang ***@***.***> wrote:
Thanks. @tazjin <https://github.com/tazjin> We will use this to update
our doc. Hi @liminw <https://github.com/liminw> Could you help to fix
this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#308 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA-A75FOWAglJ-Hysk4VcX346oPGN8ADks5s1MuPgaJpZM4QZs0F>
.
from esp.
tazjin
commented on June 29, 2024
@lizan The JWT is signed by our Keycloak instance.
from esp.
liminw
commented on June 29, 2024
If I read it correctly, from grpc code, it seems that 0 is considered the error code returned from validate_time_field().
from esp.
liminw
commented on June 29, 2024
We will document it on this page that the values for "iat", "nbf", "exp" must be numbers that are greater than 0.
from esp.
lizan
commented on June 29, 2024
Thanks @tazjin , how easy to configure Keycloak to omit nbf or have certain nbf != 0?
@liminw yes the code reading is correct, but I don't think it is intentional, is it?
from esp.
liminw
commented on June 29, 2024
The documentation here is fixed to say that "iat", "nbf", "exp" must be numbers greater than 0.
from esp.
naturalbeau
commented on June 29, 2024
I also experienced the same issue when try to use keycloak as third party authentication server. So what is the solution to fix this problem? @tazjin
from esp.
tazjin
commented on June 29, 2024
@naturalbeau We ended up writing our own authentication service, which has been humming along fine for over a year now - Keycloak is nice if your use-case falls exactly into what it supports, otherwise bending it to do what you want is a task in itself :)
from esp.
Related Issues (20)
- esp restarted when it sees RESOURCE_EXHAUSTED from servicemanagement.googleapis.com HOT 1
- GRPC keepalive server side not working HOT 5
- pass zero from grpc to json HOT 2
- argument service_control_network_fail_open is unclear HOT 6
- ESP on Compute Engine : JWT validation failed: Unable to fetch verification key HOT 11
- HTTP Post x-www-form-urlencoded transcoding HOT 6
- No error response supplied from POST request HOT 1
- Logs displayed as ERROR in Log Viewer HOT 1
- Cannot refer to service name using x-google-backend HOT 3
- Quota limit: 429 after waiting more than 1 minute
- JWT validation failed: Unable to fetch verification key HOT 1
- Malformed WWW-Authenticate header payload returned for UNAUTHORIZED response HOT 3
- Some endpoints need auth others dont. HOT 7
- x-google-jwt-location two entries for a single header HOT 3
- [DELETED]
- RST_STREAM 1 error with GRPC and ESP HOT 13
- ESP build docker failing HOT 1
- Espv1 returns 502/Bad Gateway with code:13 randomly HOT 1
- Modyfing nginx server header
- terminationGracePeriodSeconds
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from esp.