Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

user-guide: authorization using k8s service account returning 403 instead of 200 #216

Closed
KevFan opened this issue Jul 17, 2023 · 1 comment · Fixed by #217
Closed

user-guide: authorization using k8s service account returning 403 instead of 200 #216

KevFan opened this issue Jul 17, 2023 · 1 comment · Fixed by #217
Labels
area/doc Improvements or additions to documentation

Comments

@KevFan
Copy link
Contributor

KevFan commented Jul 17, 2023

WHAT
Following the Rate-limiting and protecting an API with JSON Web Tokens (JWTs) and Kubernetes authnz using Kuadrant user guide, at Step 6, the following GET request using the K8s service account token should return a 200 status code:

curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i
# HTTP/1.1 200 OK

However, it insteads return a 403 still:

curl -H "Authorization: Bearer $SA_TOKEN" -H 'Host: api.toystore.com' http://localhost:9080/toy -i
# HTTP/1.1 403 Forbidden
# x-ext-auth-reason: Not authorized: unknown reason
# date: Mon, 17 Jul 2023 12:58:04 GMT
# server: istio-envoy
# content-length: 0

Due to this error, in Step 7 of the user guide, it is not possible to validate the Rate limit using the service account also.

DONE

  • The guide is working as expected
@KevFan KevFan moved this to Needs refinement in Kuadrant Service Protection Jul 17, 2023
@guicassolato
Copy link
Contributor

This is a regression cause by Kuadrant/authorino#394 and more specifically by Kuadrant/authorino#403.

Here's a PR that fixed the Authorino docs with an updated example that can be used to fix this user guide: Kuadrant/authorino#408.

Because the AuthPolicy includes 2 sources of identity (Keycloak realm and Kubernetes SAs), you may want to rely on Authorino's extendedProperties feature to ensure auth.identity.sub is set for the k8s-service-accounts identity objects was well.

@KevFan KevFan mentioned this issue Jul 18, 2023
Merged
KevFan added a commit to KevFan/kuadrant-operator that referenced this issue Jul 18, 2023
@KevFan
user-guide: fix authorization using k8s service account returning 403…
c11802c 
… instead of 200

Closes: Kuadrant#216
@KevFan KevFan added the area/doc Improvements or additions to documentation label Jul 18, 2023
KevFan added a commit that referenced this issue Jul 18, 2023
@KevFan
docs: minor improvements (#217)
813b5e5 
* docs: minor improvements

* user-guide: fix authorization using k8s service account returning 403 instead of 200

Closes: #216
@github-project-automation github-project-automation bot moved this from Needs refinement to To test in Kuadrant Service Protection Jul 18, 2023
alexsnaps pushed a commit that referenced this issue Aug 9, 2023
@KevFan @alexsnaps
docs: minor improvements (#217)
ac8a5bb 
* docs: minor improvements

* user-guide: fix authorization using k8s service account returning 403 instead of 200

Closes: #216
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/doc Improvements or additions to documentation
Projects
No open projects
Kuadrant Service Protection
Status: To test
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: minor improvements KevFan/kuadrant-operator
2 participants
@guicassolato @KevFan