Skip to content

Authorization Policy Fails with Multiple Scopes in Istio #54019

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Authorization Policy Fails with Multiple Scopes in Istio#54019
Labels
area/security
@jonatasvieira

Description

@jonatasvieira
jonatasvieira
opened on Nov 21, 2024

Is this the right place to submit this?

  • This is not a security vulnerability or a crashing bug
  • This is not a question about how to use Istio

Bug Description

Summary: When using an Istio AuthorizationPolicy with multiple scopes in the request.auth.claims[oracle.oauth.scope] field, I encounter an RBAC error: rbac: access denied. The policy works correctly when only one scope is present, but fails when multiple scopes are included.

Details: I have an AuthorizationPolicy defined as follows:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  labels:
    app.kubernetes.io/managed-by: Helm
  name: ms-demo
  namespace: demo
spec:
  action: ALLOW
  rules:
  - from:
    - source:
        requestPrincipals:
        - https://myPrincipal.com/*
    when:
    - key: request.auth.claims[oracle.oauth.client_origin_id]
      values:
        - f47ac10b58cc4372a5670e02b2c3d479
        - 9b2d9c4e1f4b4f2b8c6e8f4e8f4e8f4e
        - 123e4567e89b12d3a456426614174000
    - key: request.auth.claims[oracle.oauth.scope]
      values:
      - TestAccount.Profile
      - ValidatorAccount.Profile
  selector:
    matchLabels:
      app.kubernetes.io/instance: ms-demo-v1

Problem: When the token contains multiple scopes, such as TestAccount.Profile ValidatorAccount.Profile, I receive an RBAC error: rbac: access denied. The policy works correctly when only one scope is present.

The request to principal is being made passsing two scopes: "TestAccount.Profile ValidatorAccount.Profile" (both on my authorization policy).

Expected Behavior: The AuthorizationPolicy should allow access when the token contains multiple scopes as specified in the values field.

Steps to Reproduce:

Define an AuthorizationPolicy with multiple scopes in the request.auth.claims[oracle.oauth.scope] field.
Generate a token with multiple scopes.
Attempt to access the resource.
Observe the RBAC error.

Additional Information: Any guidance on how to properly configure the AuthorizationPolicy to handle multiple scopes would be greatly appreciated.

Version

$ istioctl version
client version: 1.23.1
control plane version: 1.23.1
data plane version: 1.23.1 (158 proxies)

$ kubectl version
Client Version: v1.30.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.27.3

$ helm version --short
v3.10.3+g835b733

Additional Information

No response

Metadata

Assignees

No one assigned

    Labels

    area/security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions