Workarounds for matrix/synapse 401 jwt_authn_access_denied from non-JWT Authorization header and 403 rbac_access_denied_matched_policy[none] from serve_server_wellknown #51094
tzakrajs
started this conversation in
Show and tell
Replies: 1 comment
-
So I thought everything was cool until I found that Synapse requests are being made for authority matrix.somedomain.com:443 instead of matrix.somedomain.com which causes a fun 403 Here are the logs that helped me to troubleshoot:
I am pretty sure this is because I am using
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I was running into this really annoying issue where Envoy must inspect every Authentication header for JWTs. Synapse, for some reason, uses Authentication: Bearer, but it isn't a valid JWT, so Envoy barfs. Here you can see the symptom from my istio ingressgateway logs:
You will need to create two EnvoyFilters. One in your istio-system namespace targeting the ingress gateway and a second in your workload namespace targetting the istio sidecar of your pod. The high level implementation is this: When our ingress gateway receives a request for our matrix domain, copy the contents of Authentication header to Authentication-not-jwt and delete the Authentication header. This will bypass Jwt validation. Then, in the sidecar, we copy the contents of the Authentication-not-jwt header to Authentication and delete Authentication-not-jwt. This is valid for most recent versions of Istio/Envoy. Cheers!
Beta Was this translation helpful? Give feedback.
All reactions