Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
"bad decrypt" on client connect (envoy/ext_authz <-> eas)
See original GitHub issueHello,
im trying to setup oauth based PoC with okta, envoy.filters.http.ext_authz and eas.
On web client connect to envoy proxy EAS server logs following:
docker logs -f eas
info: revoked JTIs: []
info: starting server on port 8080
info: starting verify pipeline
error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt {"stack":"Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt\n at Object.decrypt (/home/eas/app/src/utils.js:82:11)\n at verifyHandler (/home/eas/app/src/server.js:124:46)\n at /home/eas/app/src/server.js:559:3\n at Layer.handle [as handle_request] (/home/eas/app/node_modules/express/lib/router/layer.js:95:5)\n at next (/home/eas/app/node_modules/express/lib/router/route.js:137:13)\n at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)\n at next (/home/eas/app/node_modules/express/lib/router/route.js:131:14)"}
(node:19) [DEP0106] DeprecationWarning: crypto.createDecipher is deprecated.
As i understand it could be due to bad key, but command executed to generate config_token match keys in docker-compose:
EAS_CONFIG_TOKEN_SIGN_SECRET=foo EAS_CONFIG_TOKEN_ENCRYPT_SECRET=bar node bin/generate-config-token.js
encrypted token (for server-side usage): tsUdAn/pNXvl58Uon2IzB....cd1/nAN78tbnz3tw1Zo
URL safe config_token: tsUdAn%2FpNXvl58Uon2IzBS%2FZdb.........bnz3tw1Zo
(node:56130) [DEP0106] DeprecationWarning: crypto.createCipher is deprecated.
(Use `node --trace-deprecation ...` to show where the warning was created)
Node version on device which was used to generate config_token:
node --version
v16.5.0
I tried older node versions, but results in same error, but without depreciated chipher warning.
Any suggestions what i could be doing wrong?
Thank you!
—cut-----------------------------------------
ExtAuthz config:
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
http_service:
authorizationRequest:
allowedHeaders:
patterns:
- exact: cookie
- exact: X-Forwarded-Host
- exact: X-Forwarded-Method
- exact: X-Forwarded-Proto
- exact: X-Forwarded-Uri
headers_to_add:
- key: "x-eas-verify-params"
value: '{"config_token":"---deleted---"}'
pathPrefix: /envoy/verify-params-header
serverUri:
cluster: eas
timeout: 2.25s
uri: http://eas:8080
EAS server docker-compose:
eas:
image: travisghansen/external-auth-server
container_name: eas
environment:
- EAS_CONFIG_TOKEN_SIGN_SECRET="foo"
- EAS_CONFIG_TOKEN_ENCRYPT_SECRET="bar"
- EAS_ISSUER_SIGN_SECRET="super secret"
- EAS_ISSUER_ENCRYPT_SECRET="blah"
- EAS_COOKIE_SIGN_SECRET="hello world"
- EAS_COOKIE_ENCRYPT_SECRET="something"
- EAS_SESSION_ENCRYPT_SECRET="baz"
- EAS_CONFIG_TOKEN_STORES="{}"
# - EAS_LOG_LEVEL="info"
- EAS_PORT=8080
ports:
- 8080:8080
generate-config-token.js:
const jwt = require("jsonwebtoken");
const utils = require("../src/utils");
const config_token_sign_secret =
process.env.EAS_CONFIG_TOKEN_SIGN_SECRET ||
utils.exit_failure("missing EAS_CONFIG_TOKEN_SIGN_SECRET env variable");
const config_token_encrypt_secret =
process.env.EAS_CONFIG_TOKEN_ENCRYPT_SECRET ||
utils.exit_failure("missing EAS_CONFIG_TOKEN_ENCRYPT_SECRET env variable");
let config_token = {
/**
* future feature: allow blocking certain token IDs
*/
//jti: <some known value>
/**
* using the same aud for multiple tokens allows sso for all services sharing the aud
*/
aud: "---deleted---", //should be unique to prevent cookie/session hijacking, defaults to a hash unique to the whole config
eas: {
// list of plugin definitions, refer to PLUGINS.md for details
plugins: [
{
type: "oauth2",
issuer: {
authorization_endpoint: "---deleted---/v1/authorize",
token_endpoint: "---deleted---/v1/token"
},
client: {
client_id: "---deleted---",
client_secret: "---deleted---"
},
scopes: ["user"],
/**
* static redirect URI
* if your oauth provider does not support wildcards place the URL configured in the provider (that will return to this proper service) here
*/
redirect_uri: "https://localhost:10443/oauth/callback",
features: {
/**
* if false cookies will be 'session' cookies
* if true and cookies expire will expire with tokens
*/
cookie_expiry: false,
userinfo_expiry: 86400, // 24 hours
/**
* sessions become a floating window *if* tokens are being refreshed or userinfo being refreshed
*/
session_expiry: 604800, // 7 days
/**
* if session_expiry is a number and this is set then sessions become a 'floating window'
* if activity is triggered in this amount of time *before* preceeding the end of the
* session then the expiration time is extended + session_expiry
*/
session_expiry_refresh_window: 86400, // 24 hours
/**
* will re-use the same id (ie: same cookie) for a particular client if a session has expired
*/
session_retain_id: true,
/**
* if the access token is expired and a refresh token is available, refresh
*/
refresh_access_token: true,
/**
* fetch userinfo and include as X-Userinfo header to backing service
*/
fetch_userinfo: true,
userinfo: {
provider: "github",
config: {
fetch_teams: true,
fetch_organizations: true,
fetch_emails: true
}
},
/**
* which token (if any) to send back to the proxy as the Authorization Bearer value
* note the proxy must allow the token to be passed to the backend if desired
*
* possible values are access_token, or refresh_token
*/
//authorization_token: "access_token"
},
assertions: {
/**
* assert the token(s) has not expired
*/
exp: true
},
cookie: {
name: "_eas_localhost_session_", //default is _oeas_oauth_session
domain: "localhost_domain" //defaults to request domain, could do sso with more generic domain
//path: "/",
}
}
]
}
};
config_token = jwt.sign(config_token, config_token_sign_secret);
const config_token_encrypted = utils.encrypt(
config_token_encrypt_secret,
config_token
);
//console.log("token: %s", config_token);
//console.log("");
console.log("encrypted token (for server-side usage): %s", config_token_encrypted);
console.log("");
console.log(
"URL safe config_token: %s",
encodeURIComponent(config_token_encrypted)
);
console.log("");
Issue Analytics
- State:
- Created 2 years ago
- Comments:13 (4 by maintainers)
Top Results From Across the Web
How to resolve the "EVP_DecryptFInal_ex: bad decrypt ...
I'm working on encryption and decryption of file for first time. I have encrypted file through command prompt using the command: openssl enc...
Read more >crypto, bad decrypt · Issue #2794 · nodejs/node - GitHub
I have decrypt some string which was encrypt by 3des ecb,but fail. for example: var crypto = require('crypto'); var theCipher ...
Read more >PGP error Decrypting : 3090:operation failed, bad packet
*Client upload another file just now, file seems ok, able to decrpyt without error.
Read more >Decrypt - AWS Key Management Service
Decrypts ciphertext that was encrypted by a KMS key using any of the following operations:
Read more >Decrypting SSL/TLS traffic with Wireshark [updated 2021]
While the encryption standards were developed for good purposes, the bad guys use them too. In this article, we'll describe how to perform...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Awesome! Glad it’s working. As an FYI I have a WIP to support the grpc interface with envoy instead of the http-style. I’ve been patiently waiting for a bug fix in node to come through but the outlook doesn’t appear good so I’ll just commit with the work-around I have in the next week or so.
Great software project by the way! Thank you!