Envoy GCP Authentication Filter with Application Layer Transport Security (ALTS)

2022-05-23

This is a sample configuration of Envoy’s GCP Authn Filter combined with Application Layer Transport Security.

What the GCP Auth Filter does is simple: it accesses the current GCP VM’s identity token and automatically injects that into the Authorization Bearer header intended for the upstream server. It basically allows the server to verify the client by using its bearer token that is unique to that instance.

Theres nothing stopping you from manually getting an id_token manually by the client but this way, it can be automatically sanitized (redacted by envoy) and ammended by any audience value the server-to-server communication needs.

Since this envoy proxy filter is GCP specific, the client VM must be on GCE (or any other system that has a metadata server on GCP).

However, the server does not need to be on gcp…it can be any system capable of verifying an inbound id_token. It can be on GCP, on prem, anywhere.

Great…but we’re talking about bearer tokens…one problem with that is implied within its name: bearer..meaning its authenticates anyone with that presents it. What happens if the token is used by different system than the one that issued it? Well, at that point, the other system can pretend to be the tokens creator.

Is there anyway we can compensate for a bearer tokens deficiency?

Sure, but its not easy: you can attempt to configure Certificate Bound Tokens but getting that setup is pretty hard. You can go one step easier by using a distribution of mTLS certificates like what google does with Traffic Director

To me, thats fine but i want to combine this new Feature of envoy with ALTS …which i find really, really cool..

Taken together, the ALTS layer verifies to the server and client the service identity and the JWT bearer token signals the what the token can be used for (eg the service’s aud: value, its expiration, claims, instance id)

note, ther’es only one implementation of ALTS in the world that i know of: its on Google….so take this demo with a grain of salt..

Realistically, you’ll want to use one of those services like Traffic Director or just use the GCP Authn plugin as a basic bearer token.

If you’re still interested in ALTS, see Envoy ALTS Helloworld

For now, we’ll just setup two GCE VMs:

  • Client Runs envoy with GCP Authn Filter Uses ALTS to connect to Server

  • Server Runs envoy with JWTAuthn Filter Uses ALTS to only allow connections from Client

Envoy GCP Authn Filter


Lets get started

First lets look at the Client configuration for Envoy minus the ALTS business:

Note that the http_filter.envoy.filters.http.gcp_authn sets up where to get an id_token.

The URL provided there is for the GCE VM’s metadata server. The [AUDIENCE] key is special: the filter uses that exact text and substitutes the value for the audience this id_token should have. Typically, this needs to be the service this token is intended (in our case, its the server).

The value for the audience is read by the Filter by inspecting the cluster the filter is meant to contact. In our case its read in from the Audience.url value in service_b.

node:
  cluster: service_greeter
  id: test-id
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 0.0.0.0, port_value: 8080 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          codec_type: AUTO
          route_config:
            name: local_route
            virtual_hosts:
              - name: backend
                domains:
                  - "server.c.$PROJECT_ID.internal"
                routes:
                  - match:
                      prefix: "/get"
                    route:
                      cluster: service_b                            
          http_filters:
          - name: envoy.filters.http.gcp_authn
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.GcpAuthnFilterConfig          
              http_uri: 
                uri: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]"
                cluster: metadata_server
                timeout: 1s
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
                      
  clusters:
  - name: metadata_server
    type: STRICT_DNS
    dns_lookup_family: V4_ONLY
    connect_timeout: 2s
    lb_policy: ROUND_ROBIN   
    load_assignment:
      cluster_name: metadata_server
      endpoints:
      - lb_endpoints:
        - endpoint:     
            address:
              socket_address:
                address:  metadata.google.internal
                port_value: 80  
  - name: service_b
    type: LOGICAL_DNS
    dns_lookup_family: V4_ONLY
    connect_timeout: 2s
    lb_policy: ROUND_ROBIN
    metadata:
      typed_filter_metadata:
        envoy.filters.http.gcp_authn:
          "@type": type.googleapis.com/envoy.extensions.filters.http.gcp_authn.v3.Audience
          url: "server.c.$PROJECT_ID.internal"       
    load_assignment:
      cluster_name: service_b
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: server.c.$PROJECT_ID.internal
                port_value: 10000                   

Ultimately, this id token that is sent to service_b will look like

{
  "alg": "RS256",
  "kid": "486f16482005a2cdaf26d9214018d029ca46fb56",
  "typ": "JWT"
}
{
  "aud": "server.c.YOUR_PROJECT.internal",
  "azp": "105358594526781723383",
  "exp": 1653426840,
  "iat": 1653423240,
  "iss": "https://accounts.google.com",
  "sub": "105358594526781723383"
}

where the aud value is what was set in clusters.service_b.metadata.typed_filter_metadata.envoy.filters.http.gcp_authn.url

(The way envoy shares metadata between filters is kinda complicated to me, see data shared between filters)

One more thing about the JWT…google’s id_token can contain many other claims

Specifically, the extended claims can signal to the server what the nature (licenses, Confidential Compute state instance_confidentiality, and so on). The server can use these values to make further decisions.

{
   "iss": "[TOKEN_ISSUER]",
   "iat": [ISSUED_TIME],
   "exp": [EXPIRED_TIME],
   "aud": "[AUDIENCE]",
   "sub": "[SUBJECT]",
   "azp": "[AUTHORIZED_PARTY]",
   "google": {
    "compute_engine": {
      "project_id": "[PROJECT_ID]",
      "project_number": [PROJECT_NUMBER],
      "zone": "[ZONE]",
      "instance_id": "[INSTANCE_ID]",
      "instance_name": "[INSTANCE_NAME]",
      "instance_creation_timestamp": [CREATION_TIMESTAMP],
      "instance_confidentiality": [INSTANCE_CONFIDENTIALITY],
      "license_id": [
        "[LICENSE_1]",
          ...
        "[LICENSE_N]"
      ]
    }
  }
}

If you want the outbound JWT to contain these, change the value in envoy to

 uri: "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=[AUDIENCE]&format=full"

Setup

Lets get setup…to do this demo you’ll need two GCE VMs…i have to emphasize again, the server can be anywhere but if the server is NOT in GCE, you must remove the ALTS configuration….since, of course, ALTS exists only on GCP :)

export PROJECT_ID=`gcloud config get-value core/project`
export PROJECT_NUMBER=`gcloud projects describe $PROJECT_ID --format='value(projectNumber)'`

# create two service accounts
gcloud iam service-accounts create server-sa --display-name "Server Service Account"
gcloud iam service-accounts create client-sa --display-name "Client Service Account"
export CLIENT_SERVICE_ACCOUNT=client-sa@$PROJECT_ID.iam.gserviceaccount.com
export SERVER_SERVICE_ACCOUNT=server-sa@$PROJECT_ID.iam.gserviceaccount.com


# create two VM's and attach service accounts to each
gcloud  compute  instances create server \
  --service-account=$SERVER_SERVICE_ACCOUNT \
  --scopes=https://www.googleapis.com/auth/userinfo.email \
  --zone us-central1-a --image-family debian-10 --image-project=debian-cloud

gcloud compute  instances create client \
  --service-account=$CLIENT_SERVICE_ACCOUNT \
  --scopes=https://www.googleapis.com/auth/userinfo.email \
  --zone us-central1-a --image-family debian-10 --image-project=debian-cloud

Now create the envoy configuration files with the PROJECT_ID values you need.

You can find the files below in this article. Be careful in naming each file thats you download

envsubst < "server_tmpl.yaml" > "server.yaml"
envsubst < "client_tmpl.yaml" > "client.yaml"

Get envoy binary.

I usually get it through docker

docker cp `docker create envoyproxy/envoy-dev:latest`:/usr/local/bin/envoy .

Copy the files to the client and server

gcloud compute scp envoy server:
gcloud compute scp envoy server:

gcloud compute scp server.yaml server:
gcloud compute scp client.yaml client:

Start Server

gcloud compute ssh server
./envoy -c server.yaml -l trace

Start Client

gcloud compute ssh client
./envoy -c client.yaml -l trace

Run Curl Client

In a new terminal on the client:

gcloud compute ssh client
export PROJECT_ID=`gcloud config get-value core/project`

curl -v -H "Host: server.c.$PROJECT_ID.internal"  http://localhost:8080/get

What you should see is a simple, measly ok…but a lot went on under the hood as shown in the logs

Configuration

Client

  • client_tmpl.yaml

Server

  • server_tmpl.yaml

Logs

As for logs, i’ve annotated each step as the best i can and redacted the noise

Client


============================== Client Request

[2022-05-24 20:14:00.801][645][debug][conn_handler] [source/server/active_tcp_listener.cc:142] [C0] new connection from 127.0.0.1:33474

[2022-05-24 20:14:00.801][645][debug][http] [source/common/http/conn_manager_impl.cc:904] [C0][S13822938871470853975] request headers complete (end_stream=true):
':authority', 'server.c.YOUR_PROJECT.internal'
':path', '/get'
':method', 'GET'
'user-agent', 'curl/7.64.0'
'accept', '*/*'



============================== Metadata Server Request

[2022-05-24 20:14:00.802][645][debug][router] [source/common/router/router.cc:467] [C0][S11072735566668962897] cluster 'metadata_server' match for URL '/computeMetadata/v1/instance/service-accounts/default/identity?audience=server.c.YOUR_PROJECT.internal'
[2022-05-24 20:14:00.802][645][debug][router] [source/common/router/router.cc:670] [C0][S11072735566668962897] router decoding headers:
':method', 'GET'
':authority', 'metadata.google.internal'
':path', '/computeMetadata/v1/instance/service-accounts/default/identity?audience=server.c.YOUR_PROJECT.internal'
':scheme', 'http'
'metadata-flavor', 'Google'
'x-envoy-internal', 'true'
'x-envoy-expected-rq-timeout-ms', '1000'

[2022-05-24 20:14:00.802][645][debug][pool] [source/common/conn_pool/conn_pool_base.cc:290] trying to create new connection

[2022-05-24 20:14:00.802][645][debug][connection] [source/common/network/connection_impl.cc:912] [C1] connecting to 169.254.169.254:80

[2022-05-24 20:14:00.813][645][trace][http] [source/common/http/http1/codec_impl.cc:1353] [C1] status_code 200

[2022-05-24 20:14:00.813][645][debug][http] [source/common/http/async_client_impl.cc:101] async http request response headers (end_stream=false):
':status', '200'
'metadata-flavor', 'Google'
'date', 'Tue, 24 May 2022 20:14:00 GMT'
'content-type', 'text/html'
'server', 'Metadata Server for VM'
'content-length', '682'
'x-xss-protection', '0'
'x-frame-options', 'SAMEORIGIN'
'x-envoy-upstream-service-time', '11'


[2022-05-24 20:14:00.813][645][debug][router] [source/common/router/router.cc:467] [C0][S13822938871470853975] cluster 'service_b' match for URL '/get'
[2022-05-24 20:14:00.813][645][debug][router] [source/common/router/router.cc:670] [C0][S13822938871470853975] router decoding headers:
':authority', 'server.c.YOUR_PROJECT.internal'
':path', '/get'
':method', 'GET'
':scheme', 'http'
'user-agent', 'curl/7.64.0'
'accept', '*/*'
'x-forwarded-proto', 'http'
'x-request-id', '434e144c-0732-4227-8f6a-781f609d08df'
'authorization', 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4NmYxNjQ4MjAwNWEyY2RhZjI2ZDkyMTQwMThkMDI5Y2E0NmZiNTYiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJzZXJ2ZXIuYy5taW5lcmFsLW1pbnV0aWEtODIwLmludGVybmFsIiwiYXpwIjoiMTA1MzU4NTk0NTI2NzgxNzIzMzgzIiwiZXhwIjoxNjUzNDI2ODQwLCJpYXQiOjE2NTM0MjMyNDAsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsInN1YiI6IjEwNTM1ODU5NDUyNjc4MTcyMzM4MyJ9.c-zxdjjUPT7B7g9BlHFjYj2bVnCksr0RNuGtF2I-ln3dcAzgu1pd_E-zoWR-KwJDZOuSMPDcjUea75DUt5ps4TwbHFyZ1x5GD3BRArl1Ts0p_QAtND-elV2c_ZDk-txpGCkI2ESGKszjv5_UF_aiIeO5l344ECB_zERD5LA3BeXoVDix-v5uw0KLFjZM03OBcNbItdy1B7dNIGUqOZNpRp2PWXxY5ppf33BXXY3U_JepzK0qynZCvlPAeSJKqIc5LKpPBauzUYOYq0VH1xkL_SdfDgvoSCi69Eqgu9i3qNSaV8B7mdYO5mrfxsaE9SroKR2P0PdyEt-n2HkrqQAZ7w'
'x-envoy-expected-rq-timeout-ms', '15000'


============================== ALTS

[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:103] [C2] TSI: Handshake successful: peer properties: 5
[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C2]   certificate_type: ALTS
[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C2]   service_account: server-sa@YOUR_PROJECT.iam.gserviceaccount.com

[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C2]   alts_context: 
grpcALTSRP_GCM_AES128_REKEY"5server-sa@YOUR_PROJECT.iam.gserviceaccount.com*5client-sa@YOUR_PROJECT.iam.gserviceaccount.com2


[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C2]   security_level: TSI_PRIVACY_AND_INTEGRITY
[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:113] [C2] TSI: Handshake validation succeeded.
[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:125] [C2] TSI hanshake with peer: server-sa@YOUR_PROJECT.iam.gserviceaccount.com

[2022-05-24 20:14:00.822][645][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:144] [C2] TSI: Handshake successful: unused_bytes: 0

============================== Server Response

[2022-05-24 20:14:00.839][645][trace][http] [source/common/http/http1/codec_impl.cc:1353] [C2] status_code 200
[2022-05-24 20:14:00.839][645][debug][http] [source/common/http/conn_manager_impl.cc:1516] [C0][S13822938871470853975] encoding headers via codec (end_stream=false):
':status', '200'
'content-length', '2'
'content-type', 'text/plain'
'date', 'Tue, 24 May 2022 20:14:00 GMT'
'server', 'envoy'
'x-envoy-upstream-service-time', '25'

[2022-05-24 20:14:00.840][645][debug][client] [source/common/http/codec_client.cc:126] [C2] response complete

Server Logs

============================== Client Request

[2022-05-24 20:14:00.815][629][debug][conn_handler] [source/server/active_tcp_listener.cc:142] [C0] new connection from 10.128.0.17:36394

============================== ALTS

[2022-05-24 20:14:00.818][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:47] [C0] TSI: doHandshake
[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:103] [C0] TSI: Handshake successful: peer properties: 5
[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C0]   certificate_type: ALTS
[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C0]   service_account: client-sa@YOUR_PROJECT.iam.gserviceaccount.com
[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C0]   alts_context: 
grpcALTSRP_GCM_AES128_REKEY"5client-sa@YOUR_PROJECT.iam.gserviceaccount.com*5server-sa@YOUR_PROJECT.iam.gserviceaccount.com2


[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:106] [C0]   security_level: TSI_PRIVACY_AND_INTEGRITY
[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:113] [C0] TSI: Handshake validation succeeded.
[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:125] [C0] TSI hanshake with peer: client-sa@YOUR_PROJECT.iam.gserviceaccount.com
[2022-05-24 20:14:00.828][629][debug][connection] [source/extensions/transport_sockets/alts/tsi_socket.cc:144] [C0] TSI: Handshake successful: unused_bytes: 0


============================== Client Request

[2022-05-24 20:14:00.828][629][debug][http] [source/common/http/conn_manager_impl.cc:904] [C0][S2732626836338267029] request headers complete (end_stream=true):
':authority', 'server.c.YOUR_PROJECT.internal'
':path', '/get'
':method', 'GET'
'user-agent', 'curl/7.64.0'
'accept', '*/*'
'x-forwarded-proto', 'http'
'x-request-id', '434e144c-0732-4227-8f6a-781f609d08df'
'authorization', 'Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4NmYxNjQ4MjAwNWEyY2RhZjI2ZDkyMTQwMThkMDI5Y2E0NmZiNTYiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJzZXJ2ZXIuYy5taW5lcmFsLW1pbnV0aWEtODIwLmludGVybmFsIiwiYXpwIjoiMTA1MzU4NTk0NTI2NzgxNzIzMzgzIiwiZXhwIjoxNjUzNDI2ODQwLCJpYXQiOjE2NTM0MjMyNDAsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsInN1YiI6IjEwNTM1ODU5NDUyNjc4MTcyMzM4MyJ9.c-zxdjjUPT7B7g9BlHFjYj2bVnCksr0RNuGtF2I-ln3dcAzgu1pd_E-zoWR-KwJDZOuSMPDcjUea75DUt5ps4TwbHFyZ1x5GD3BRArl1Ts0p_QAtND-elV2c_ZDk-txpGCkI2ESGKszjv5_UF_aiIeO5l344ECB_zERD5LA3BeXoVDix-v5uw0KLFjZM03OBcNbItdy1B7dNIGUqOZNpRp2PWXxY5ppf33BXXY3U_JepzK0qynZCvlPAeSJKqIc5LKpPBauzUYOYq0VH1xkL_SdfDgvoSCi69Eqgu9i3qNSaV8B7mdYO5mrfxsaE9SroKR2P0PdyEt-n2HkrqQAZ7w'
'x-envoy-expected-rq-timeout-ms', '15000'


============================== JWT Verify

[2022-05-24 20:14:00.828][629][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:144] google-jwt: startVerify: tokens size 1
[2022-05-24 20:14:00.828][629][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:157] google-jwt: Parse Jwt eyJhbGciOiJSUzI1NiIsImtpZCI6IjQ4NmYxNjQ4MjAwNWEyY2RhZjI2ZDkyMTQwMThkMDI5Y2E0NmZiNTYiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJzZXJ2ZXIuYy5taW5lcmFsLW1pbnV0aWEtODIwLmludGVybmFsIiwiYXpwIjoiMTA1MzU4NTk0NTI2NzgxNzIzMzgzIiwiZXhwIjoxNjUzNDI2ODQwLCJpYXQiOjE2NTM0MjMyNDAsImlzcyI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbSIsInN1YiI6IjEwNTM1ODU5NDUyNjc4MTcyMzM4MyJ9.c-zxdjjUPT7B7g9BlHFjYj2bVnCksr0RNuGtF2I-ln3dcAzgu1pd_E-zoWR-KwJDZOuSMPDcjUea75DUt5ps4TwbHFyZ1x5GD3BRArl1Ts0p_QAtND-elV2c_ZDk-txpGCkI2ESGKszjv5_UF_aiIeO5l344ECB_zERD5LA3BeXoVDix-v5uw0KLFjZM03OBcNbItdy1B7dNIGUqOZNpRp2PWXxY5ppf33BXXY3U_JepzK0qynZCvlPAeSJKqIc5LKpPBauzUYOYq0VH1xkL_SdfDgvoSCi69Eqgu9i3qNSaV8B7mdYO5mrfxsaE9SroKR2P0PdyEt-n2HkrqQAZ7w
[2022-05-24 20:14:00.828][629][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:167] google-jwt: Verifying JWT token of issuer https://accounts.google.com

============================== Get and Cache JWK

[2022-05-24 20:14:00.828][629][trace][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:27] JwksFetcherImpl
[2022-05-24 20:14:00.828][629][trace][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:41] fetch
[2022-05-24 20:14:00.828][629][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:60] fetch pubkey from [uri = https://www.googleapis.com/oauth2/v3/certs]: start
[2022-05-24 20:14:00.828][629][debug][router] [source/common/router/router.cc:467] [C0][S15262186142634120070] cluster 'jwt.www.googleapis.com|443' match for URL '/oauth2/v3/certs'
[2022-05-24 20:14:00.828][629][debug][router] [source/common/router/router.cc:670] [C0][S15262186142634120070] router decoding headers:
':path', '/oauth2/v3/certs'
':authority', 'www.googleapis.com'
':method', 'GET'
':scheme', 'http'
'x-envoy-internal', 'true'
'x-forwarded-for', '10.128.0.2'
'x-envoy-expected-rq-timeout-ms', '5000'

[2022-05-24 20:14:00.835][629][trace][http] [source/common/http/http1/codec_impl.cc:1353] [C1] status_code 200
[2022-05-24 20:14:00.835][629][trace][http] [source/common/http/http1/codec_impl.cc:1363] [C1] Client: onHeadersComplete size=12
[2022-05-24 20:14:00.835][629][debug][router] [source/common/router/router.cc:1351] [C0][S15262186142634120070] upstream headers complete: end_stream=false
[2022-05-24 20:14:00.835][629][debug][http] [source/common/http/async_client_impl.cc:101] async http request response headers (end_stream=false):
':status', '200'
'vary', 'X-Origin,Referer,Origin,Accept-Encoding'
'server', 'scaffolding on HTTPServer2'
'x-xss-protection', '0'
'x-frame-options', 'SAMEORIGIN'
'x-content-type-options', 'nosniff'
'date', 'Tue, 24 May 2022 20:13:47 GMT'
'expires', 'Wed, 25 May 2022 01:46:27 GMT'
'cache-control', 'public, max-age=19960, must-revalidate, no-transform'
'content-type', 'application/json; charset=UTF-8'
'age', '13'
'accept-ranges', 'none'
'transfer-encoding', 'chunked'
'x-envoy-upstream-service-time', '6'

============================== Verify JWK

[2022-05-24 20:14:00.836][629][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:85] onSuccess: fetch pubkey [uri = https://www.googleapis.com/oauth2/v3/certs]: success
[2022-05-24 20:14:00.836][629][debug][filter] [source/extensions/filters/http/common/jwks_fetcher.cc:91] onSuccess: fetch pubkey [uri = https://www.googleapis.com/oauth2/v3/certs]: succeeded
[2022-05-24 20:14:00.837][629][debug][jwt] [source/extensions/filters/http/jwt_authn/authenticator.cc:313] google-jwt: JWT token verification completed with: OK
[2022-05-24 20:14:00.837][629][debug][jwt] [source/extensions/filters/http/jwt_authn/filter.cc:110] Jwt authentication completed with: OK
[2022-05-24 20:14:00.837][629][trace][http] [source/common/http/filter_manager.cc:70] [C0][S2732626836338267029] continuing filter chain: filter=0x46903f9407e0

============================== Send Client Response

[2022-05-24 20:14:00.837][629][debug][http] [source/common/http/filter_manager.cc:952] [C0][S2732626836338267029] Sending local reply with details direct_response
[2022-05-24 20:14:00.837][629][trace][misc] [source/common/event/scaled_range_timer_manager_impl.cc:60] enableTimer called on 0x46903f4ac180 for 300000ms, min is 300000ms
[2022-05-24 20:14:00.837][629][debug][http] [source/common/http/conn_manager_impl.cc:1516] [C0][S2732626836338267029] encoding headers via codec (end_stream=false):
':status', '200'
'content-length', '2'
'content-type', 'text/plain'
'date', 'Tue, 24 May 2022 20:14:00 GMT'
'server', 'envoy'

[2022-05-24 20:14:00.837][629][debug][pool] [source/common/http/http1/conn_pool.cc:53] [C1] response complete

References

This site supports webmentions. Send me a mention via this form.