envoy.filters.http.jwt_authn: std::terminate called #8363
Description
Title: Trying to auth with a jwt token crashes envoy
Description:
I'm following a basic setup for auth0 and envoy. When I submit a GET request to localhost:8080 with a valid jwt bearer token envoy crashes (running version: e349fb6/1.11.1/Clean/RELEASE/BoringSSL).
Repro steps:
- Set up envoy for auth0 jwt.
- Access it with a valid token
Admin and Stats Output:
The server crashes so no output is available, the full configuration is attached below
Config:
admin:
access_log_path: /tmp/admin_access.log
address:
socket_address: { address: 0.0.0.0, port_value: 9901 }
static_resources:
listeners:
- name: listener_0
address:
socket_address: { address: 0.0.0.0, port_value: 8080 }
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
codec_type: auto
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match: { prefix: "/" }
route:
cluster: web
cors:
allow_origin:
- "*"
allow_methods: GET, PUT, DELETE, POST, OPTIONS
allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout
max_age: "1728000"
expose_headers: custom-header-1,grpc-status,grpc-message
http_filters:
- name: envoy.filters.http.jwt_authn
config:
providers:
jwt_provider:
issuer: https://example-com.auth0.com/
audiences:
- api.example.com
remote_jwks:
http_uri:
uri: https://example-com.auth0.com/.well-known/jwks.json
cluster: example-com.auth0.com|443
forward: true
forward_payload_header: "plain-authorization"
rules:
- match:
prefix: /
requires:
provider_and_audiences:
provider_name: jwt_provider
audiences:
api.example.com
- name: envoy.grpc_web
- name: envoy.cors
- name: envoy.router
clusters:
- name: web
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
hosts: [{ socket_address: { address: 172.28.1.2, port_value: 80 }}]Logs:
envoy_1 | [2019-09-25 13:14:35.685][1][info][main] [source/server/server.cc:516] starting main dispatch loop
envoy_1 | [2019-09-25 13:14:44.790][11][critical][main] [source/exe/terminate_handler.cc:13] std::terminate called! (possible uncaught exception, see trace)
envoy_1 | [2019-09-25 13:14:44.790][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
envoy_1 | [2019-09-25 13:14:44.791][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: [0x1192ec8]
envoy_1 | [2019-09-25 13:14:44.791][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1192dd9]
envoy_1 | [2019-09-25 13:14:44.792][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: [0x1309fa6]
envoy_1 | [2019-09-25 13:14:44.792][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:81] Caught Aborted, suspect faulting address 0x1
envoy_1 | [2019-09-25 13:14:44.792][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
envoy_1 | [2019-09-25 13:14:44.792][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: [0x7f78dbdb94b0]
envoy_1 | [2019-09-25 13:14:44.792][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1192dd9]
envoy_1 | [2019-09-25 13:14:44.793][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: [0x1309fa6]
envoy_1 | ActiveStream 0x2d4a880, stream_id_: 10394178322800361697, has_continue_headers_: 0, is_head_request_: 0, decoding_headers_only_: 0, encoding_headers_only_: 0
envoy_1 | request_headers_:
envoy_1 | ':authority', 'localhost:8080'
envoy_1 | ':path', '/'
envoy_1 | ':method', 'GET'
envoy_1 | 'authorization', 'Bearer xxx'
envoy_1 | 'user-agent', 'PostmanRuntime/7.17.1'
envoy_1 | 'accept', '*/*'
envoy_1 | 'cache-control', 'no-cache'
envoy_1 | 'postman-token', '13fc3bc4-15b7-4f7f-812e-140ebda3a36b'
envoy_1 | 'accept-encoding', 'gzip, deflate'
envoy_1 | 'x-forwarded-proto', 'http'
envoy_1 | 'x-request-id', 'b6dbf945-48f2-4d36-bf8d-3b74820144f3'
envoy_1 | request_trailers_: null
envoy_1 | response_headers_: null
envoy_1 | response_trailers_: null
envoy_1 | &stream_info_:
envoy_1 | StreamInfoImpl 0x2d4a9b8, protocol_: 1, response_code_: null, response_code_details_: null, health_check_request_: 0, route_name_:
envoy_1 | [2019-09-25 13:14:44.809][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:81] Caught Segmentation fault, suspect faulting address 0x0
envoy_1 | [2019-09-25 13:14:44.809][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:69] Backtrace (use tools/stack_decode.py to get line numbers):
envoy_1 | [2019-09-25 13:14:44.810][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #0: [0x7f78dbdb94b0]
envoy_1 | [2019-09-25 13:14:44.810][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #1: [0x1192dd9]
envoy_1 | [2019-09-25 13:14:44.810][11][critical][backtrace] [bazel-out/k8-opt/bin/source/server/_virtual_includes/backtrace_lib/server/backtrace.h:75] #2: [0x1309fa6]
envoy-auth0_envoy_1 exited with code 139