A HTTP Filter checking for OIDC Authentication, made for Envoy Plugins, written in Rust

Related tags

Authentication rust wasm openid-connect jwt-authentication oidc envoy envoy-filter envoyproxy envoy-plugin
Overview

WASM OIDC Plugin

Build Status Documentation

A plugin for Envoy written in Rust.

It is a HTTP Filter, that implements the OIDC Authorization Code Flow. Requests sent to the filter are checked for the presence of a valid session cookie. If the cookie is not present, the user is redirected to the Authorization endpoint to authenticate. After successful authentication, the user is redirected back to the original request.

Install

Install Toolchain for WASM in Rust

For developing the Rust Toolchain has to be installed and the WASM target has to be enabled.

E.g. for Ubuntu this can be achieved by:

# Install Build essentials
apt install build-essential
# Install Rustup
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
# Enable WASM compilation target
cargo build --target wasm32-wasi --release

Try it out

Shortcut:

make simulate

The long version

Building the plugin:

cargo build --target wasm32-wasi --release

Testing locally with Envoy:

To test docker and docker-compose are needed.

docker compose up

Requests to the locally running envoy with the plugin enabled:

curl localhost:10000

Documentation

To generate a detailed documentation, run:

cargo doc --document-private-items --open

Documentation is also hosted on GitHub Pages

Configuration

The plugin is configured via the envoy.yaml file. The following configuration options are required:

Name Type Description Example
config_endpoint string The open id configuration endpoint. https://accounts.google.com/.well-known/openid-configuration
reload_interval_in_hours u64 The interval in hours, after which the OIDC configuration is reloaded. 24
exclude_hosts Vec<Regex> A comma separated list Hosts (in Regex expressions), that are excluded from the filtrr. ["localhost:10000"]
exclude_paths Vec<Regex> A comma separated list of paths (in Regex expressions), that are excluded from the filter. ["/health"]
exclude_urls Vec<Regex> A comma separated list of URLs (in Regex expressions), that are excluded from the filter. ["localhost:10000/health"]
cookie_name string The name of the cookie, that is used to store the session. oidcSession
cookie_duration u64 The duration in seconds, after which the session cookie expires. 86400
aes_key string A base64 encoded AES-256 Key SFDUGDbOsRzSZbv+mvnZdu2x6+Hqe2WRaBABvfxmh3Q
authority string The authority of the authorization_endpoint. accounts.google.com
redirect_uri string The redirect URI, that the authorization_endpoint will redirect to. http://localhost:10000/oidc/callback
client_id string The client ID, for getting and exchanging the code. wasm-oidc-plugin
scope string The scope, to validate openid email
claims string The claims, to validate {\"id_token\":{\"email\":null}}
client_secret string The client secret, that is used to authenticate with the authorization_endpoint. secret
audience string The audience, that is used to validate the token. wasm-oidc-plugin

With these configuration options, the plugin starts and loads more information itself such as the OIDC providers public keys, issuer, etc.

For that a state is used, which determines, what to load next. The following states are possbile and depending on the outcome, the state is changed or not:

State Description
Uninitialized The plugin is not initialized yet.
LoadingConfig The plugin is loading the configuration from the config_endpoint.
LoadingJwks The plugin is loading the public keys from the jwks_uri.
Ready The plugin is ready to handle requests and will reload the configuration after the reload_interval_in_hours has passed.

Handling a request

When a new request arrives, the root context creates a new http context with the information that has been loaded previously.

Then, one of the following cases is handled:

  1. The filter is not configured yet and still loading the configuration. The request is paused and queued until the configuration is loaded. Then, then, the RootContext resumes the request and the Request is redirected in order to create a new context.
  2. The request has the code parameter in the URL query. This means that the user has been redirected back from the authorization_endpoint after successful authentication. The plugin exchanges the code for a token using the token_endpoint and stores the token in the session. Then, the user is redirected back to the original request.
  3. The request has a valid session cookie. The plugin decoded, decrypts and then validates the cookie and passes the request depending on the outcome of the validation of the token.
  4. The request has no valid session cookie. The plugin redirects the user to the authorization_endpoint to authenticate. Once, the user returns, the second case is handled.

Tools

Gitleaks

We are using Gitleaks to protect from unwanted secret leaking and prevent security incidents by detecting passwords, secrets, API keys, tokens and more in git repos.

To run gitleaks, install it first and then run:

gitleaks protect

# To get the list of leaks
gitleaks protect --verbose

If you want to install a pre-commit hook - you should - install pre-commit and run (from the root of the project):

pre-commit install

Cargo-Deny

Cargo-deny checks all dependencies for security vulnerabilities and license issues.

Install cargo-deny:

cargo install --locked cargo-deny

And then run:

cargo-deny check licenses
cargo-deny check advisories

These commands are also run in the CI pipeline.

You might also like...
JWT lib in rust

jsonwebtoken API documentation on docs.rs See JSON Web Tokens for more information on what JSON Web Tokens are. Installation Add the following to Carg

Vincent Prouillet 1.1k Jan 3, 2023
Authorization Server with Rust using Tonic

authorization-server Authorization Server with Rust using Tonic. Function implemented User registration and profile store Change password Login Token

sora 3 Oct 5, 2021
A paseto implementation in rust.

Paseto Rust Paseto is everything you love about JOSE (JWT, JWE, JWS) without any of the many design deficits that plague the JOSE standards. This is d

Instructure, Inc. 145 Nov 7, 2022
Extensible, strongly-typed Rust OAuth2 client library

OAuth2 An extensible, strongly-typed implementation of OAuth2 (RFC 6749). Documentation is available on docs.rs. Release notes are available on GitHub

David Ramos 602 Dec 25, 2022
An auth system/library for Rust applications

Rust : Forbidden (WIP) An experimental auth library for Rust applications. Goals This crate is to define a common set of traits and idioms to provide

Mario Montoya 9 Nov 8, 2022
ROCCA cipher implementation for Rust.

ROCCA for Rust This is a Rust implementation of the ROCCA authenticated cipher, ported from the Zig implementation. ROCCA is key committing, has a 256

Frank Denis 6 Sep 30, 2022
RSA implementation in pure Rust

RSA A portable RSA implementation in pure Rust. ⚠️ WARNING: This crate has been audited by a 3rd party, but a full blog post with the results and the

Rust Crypto 346 Jan 4, 2023
Tools for manipulating JSON Web Tokens, JWS, JWE, and JWK in Rust
Tools for manipulating JSON Web Tokens, JWS, JWE, and JWK in Rust

Rusty JWT Tools A collection of JWT utilities. This repository is part of the source code of Wire. You can find more information at wire.com or by con

Wire Swiss GmbH 4 Nov 22, 2022
A set of Rust libraries to interact with apple's private APIs and servers.

apple-private-apis A set of Rust libraries to interact with apple's private APIs and servers, made for use in SideInstaller. Library Description omnis

SideStore Team 4 Jan 25, 2023
Releases(v0.1.1)

  • v0.1.1(Jul 4, 2023)

    What's Changed

    • Workflow for Build & Docs and Test Workflow for PRs by @antonengelhardt in https://github.com/antonengelhardt/wasm-oidc-plugin/pull/1

    New Contributors

    • @antonengelhardt made their first contribution in https://github.com/antonengelhardt/wasm-oidc-plugin/pull/1

    Full Changelog: https://github.com/antonengelhardt/wasm-oidc-plugin/compare/v0.1...v0.1.1

    Source code(tar.gz)
    Source code(zip)
Owner
Anton Engelhardt
Building @savestrike & other projects. From Germany, living in Berlin.
Anton Engelhardt
GitHub
Rust library for HTTP authentication. Parses challenge lists, responds to Basic and Digest challenges. Likely to be extended with server support and additional auth schemes.

Rust library for HTTP authentication. Parses challenge lists, responds to Basic and Digest challenges. Likely to be extended with server support and a

Scott Lamb 3 Jun 10, 2022
Fast, simple and REST compliant file-server with public/private key authentication written in Rust

stormi Stormi is a fast and simple file-server with public/private key authentication How does it work? Stormi accepts multipart/form-data form with m

Polygon 2 Dec 8, 2022
Example application using a Vue frontend with Rust backend that has authentication + authorization.

This project contains a Rust server that serves a single page application and has authentication + JWT-based authorization.

null 43 Dec 9, 2022
Authenticate to Minecraft using the Microsoft Authentication Scheme from Rust.

Authenticating to Minecraft with the Microsoft Authentication Scheme from Rust This program showcases an implementation of the microsoft authenticatio

ALinuxPerson 17 Dec 22, 2022
🔥 Firebase authentication for Rust 🦀

Fire Auth Rust wrapper for Firebase Authentication REST API Installation Add the following to Cargo.toml: fireauth = "0.1.5" How to use First you need

UwU 11 Nov 12, 2022
Xbox live authentication flow for Minecraft with Rust.

MC Auth Xbox live authentication flow for Minecraft in Rust. Why? In order to create tools for Minecraft based on rust that implement the user profile

Minecraft Rust 3 Jan 15, 2023
An implementation for an authentication API for Rocket applications.

rocket_auth rocket_auth provides a ready-to-use backend agnostic API for authentication management. For more information visit the documentation at ht

null 62 Dec 19, 2022
vault client using jwt authentication that define environment variables from vault secrets before executing into something else

envlt envlt, like env, allows you to define environment variables and then execute into something else, but instead of static values, it uses using si

Eric Burghard 6 Nov 13, 2022
High-level http auth extractors for axum

High-level http auth extractors for axum

Owez 44 Dec 23, 2022
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed this as a Tock OS application and it has been successfull

Google 2.4k Jan 2, 2023