You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is not a security vulnerability or a crashing bug
This is not a question about how to use Istio
Bug Description
When Istio is frequently generating configuration, and there is at least one JWKS URI that hasn't been fetched and returns an error, then the background refresh that fetches and updates other good URIs won't be triggered.
Repro steps:
Install Istio and bookinfo
On istiod, set the env PILOT_JWT_PUB_KEY_REFRESH_INTERVAL to something short like 30s (not required, but makes validation much faster)
Set up a JWKS server that you control, I used a test service in the cluster
Create RequestAuthentication and Authorization policy to require a JWT for accessing productpage with a good jwksUri from your test server
Now run a loop that creates and deletes a RequestAuthentication config for details with an invalid jwks URI with a 10s delay (must be shorter than the refresh interval set above)
Now change the JWKS returned by the test server created in (3) for the good URI configured in (4), which you'd expect to get updated
Wait a couple minutes, enough time that the JWKS should have been updated.
Issue a request to productpage with a JWT signed by the key in the old JWKS - it will still work. Then issue a request with a JWT signed by the key in the new JWKS - you get a 403.
Version
% istioctl version
client version: 1.22.1
control plane version: 1.22.1
data plane version: 1.22.1 (9 proxies)
% kubectl version
Client Version: v1.29.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.29.1
But it still occurs in a master build
Additional Information
Skipping as I am already working on a PR to fix this
The text was updated successfully, but these errors were encountered:
Is this the right place to submit this?
Bug Description
When Istio is frequently generating configuration, and there is at least one JWKS URI that hasn't been fetched and returns an error, then the background refresh that fetches and updates other good URIs won't be triggered.
Repro steps:
PILOT_JWT_PUB_KEY_REFRESH_INTERVAL
to something short like 30s (not required, but makes validation much faster)jwksUri
from your test serverWait a couple minutes, enough time that the JWKS should have been updated.
Issue a request to productpage with a JWT signed by the key in the old JWKS - it will still work. Then issue a request with a JWT signed by the key in the new JWKS - you get a 403.
Version
Additional Information
Skipping as I am already working on a PR to fix this
The text was updated successfully, but these errors were encountered: