BBv1.17.0 new authservice breaks authentication on customer Application

Bug

Description

BBv1.17.0 new authservice breaks authentication on customer Application. After upgrading to BBv1.17.0, the new authservice "0.4.0-bb.17" seems to not read the JWT correctly. The following is the error message received when trying to log into the application.

Error: Jwks doesn't have key to match kid or alg from Jwt

After reviewing logs and not finding anything relevant. I decided to roll back authservice to "0.4.0-bb.15" and then I can log into the application with no problems.

It seems like you'll need to pass in this value - https://repo1.dso.mil/platform-one/big-bang/bigbang/-/blob/master/chart/values.yaml#L63

This value defaults to blank in BB, but in the authservice chart the default is for login.dso.mil - https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice/-/blob/main/chart/values.yaml#L62 - which would cause issues when using a different SSO provider.

I'm not 100% on why this wouldn't have been an issue in the past but we can definitely look into it and see if we need to update things on our end or at least improve the messaging around the update. Let us know if adding that value works for you.

You can get that value from: https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/certs and then specify it in your values:

sso:
  jwks: '{yourjsonhere}'

Yep, we are already doing that. All other customer applications work just the one customer application (Genesis) isn't working after the authservice upgrade. Like I said it works when I overlay authservice to use the older committed tag.

Hm interesting that it's only happening for one app. Do you happen to have that jwks value overridden for that one chain? Most the chain values default to the global but override for just one might explain why you're only seeing issues with the one app? Something like this...

addons:
  authservice:
    chains:
      genesis:
        jwks: '...'

We aren't aware of any reasons the upgrade wouldn't work but we did modify how authservice works to go away from envoyfilters and switch to authn/authz in this MR - https://repo1.dso.mil/platform-one/big-bang/apps/core/authservice/-/merge_requests/43

If you are able to provide the values you're passing to authservice that'd definitely be helpful in trying to debug what's doing on here.

added BB Customer Issues authservice kindbug priority5 teamXForce labels

set weight to 2

@jason.crothers Are you using a "self-signed" certificate on your Keycloak instance?

It seems the issue is when jwksUri is used and istio doesn't trust the certificate at the other end it prints that issue since it didn't trust/import the certificate.

The solution should be to replace jwksUri with jwks and the value of your sso.jwks BigBang in the jwt-authn RequestAuthentication resource in the istio-system namespace.

For the fix BigBang should implement, we can update the logic for the above RequestAuthentication resource in the authservice package to use the existing jwks value (BigBang sso.jwks value) if present before attempting to populate jwksUri. will need to complete testing against Keycloak server with "self-signed" certificate to verify.

changed milestone to %1.22.0

changed iteration to Big Bang Iterations Nov 16, 2021 - Nov 29, 2021

assigned to @ryan.j.garcia

added statusdoing label

mentioned in merge request !1117 (merged)

added statusreview label and removed statusdoing label

closed with merge request !1117 (merged)

mentioned in commit 7a55c79d

removed statusreview label