[Bug]: JWT validation does not work with requests larger than 1MB using JWKSUri as source for keys

[nixx]

Version

edge

What Kubernetes platforms are you running on?

AKS Azure

Steps to reproduce

When using JWKs URI as source for JWKs a subrequest is used. The request limit for subrequests is the default 1MB and the client gets a 413 Payload to large.

The configuration is similar to:

jwt:
  realm: Realm
  token: $http_token
  jwksURI: https://location_of_jwt
  keyCache: 1h

This is a similar bug as #7876

[github-actions]

Hi @nixx thanks for reporting!

Be sure to check out the docs and the Contributing Guidelines while you wait for a human to take a look at this 🙂

Cheers!

[vepatel]

hey @nixx, just to confirm that this is when setting client-max-body-size in VS upstream option only?
eg:

  upstreams:
  - name: webapp
    service: webapp-svc
    port: 80
    client-max-body-size: 2m

[nixx]

@vepatel correct

 upstreams:
  - client-max-body-size: 0m
     name: sizetest-upstream
     port: 80
     use-cluster-ip: true

Smaller requests (under 1MB) works fine. It should be quite easy to reproduce.

The genereated code for fetching the JWKs is:

    location = /_jwks_uri_server_XXXX {
        internal;
        proxy_method GET;
        proxy_set_header Content-Length "";
        proxy_cache jwks_uri_XXXX;
        proxy_cache_valid 200 12h;
        proxy_set_header Host XXXX
        set $idp_backend XXXX;
        proxy_pass https://$idp_backend/jwks;
    }

I would also expect the following directives to be set:

proxy_pass_request_headers off;
proxy_pass_request_body off;

As well SNI validation, but from what I can see, this will be fixed in #7993

[nixx]

An addional note: When testing with Curl, curl sets "Expect: 100-continue". This work fine, and we are not limited by size. However, clients not setting "Expect: 100-continue" seems to break the JWT-validation

[vepatel]

hey @nixx, can confirm that this is an issue we will be working on a fix!
as a work around for now, you can set client-max-body-size key in configmap (http-context) and it should persist across all child contexts.

As for setting:

proxy_pass_request_headers off;
proxy_pass_request_body off;

can I request if you can create a new feature request please as ideally we'd prefer them being customisable

[vepatel]

@nixx Can you please also confirm which IDP you're using? this'll help us test the fix better!