-
-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authorizer "remote" throws exception "invalid Read on closed Body" if request body is present in request #1136
Comments
I think that error is implying that your upstream echo server closed the body. Is there any chance you have some sort of NetworkPolicy in your cluster that's rejecting the connection between pods or something? Does the request work correctly if you remove the authoriser? |
Hi Josh. No, echo server (is just a dummy example service for test) could not read the body as it was closed before. |
Okay, yeah, I can confirm I get the same issue. It looks like it was introduced in v0.40.2 and is something to do with the tracing implementation. If these lines are commented out then it works correctly. |
Do you think someone from Ory can fix that? I can assume the parts you said to comment our are also required in order to trace, so just disabling them is not an option? |
Sorry, I only disabled the tracing lines to test if that was the issue; it's not a suitable fix. I spent some time yesterday trying to find the correct fix but couldn't. You'll likely need to wait for someone from Ory who knows the codebase better than me, unfortunately. |
Anyone from Ory, could you please take a look here, this issue is a show stopper for remote authorizer |
Up |
I have looked into the root cause for Denys and here is a summary and fix:
I've tested fix and run all unit tests with success. |
…ad on closed Body" if request body is present in request
I did CIT for this, and it passed |
UP |
Any updates? |
UP |
UP, we would also like to have this fix please. |
Sorry, I've not had time to wrap my head around what the actual problem was here. #1185 should resolve this. |
Preflight checklist
Ory Network Project
No response
Describe the bug
I am using the authorizer "remote".
When sending a request with some JSON payload and the remote authorizer returns status code 200 it is expected that Oathkeeper will allow the request and forward it to upstream service, while the actual result is I am getting 502 status code. In oathkeeper logs, i see the exception "invalid Read on closed Body".
The authorizer implementation that is used during this flow accepts POST request with a body and returns status code 200 or 403 based on body content.
Authorizer do not return any body in response, just a status code.
Reproducing the bug
Expected result:
Considering that our dummy authorizer returned status code 200 oathkeeper is expected to allow the request to upstream service
Actual result:
Exception is happened in oathkeeper indicating that "invalid Read on closed Body".
Relevant log output
Relevant configuration
Version
v0.40.6
On which operating system are you observing this issue?
None
In which environment are you deploying?
Kubernetes with Helm
Additional Context
My assumption is that once the original request body is piped into the read end of the pipe and used as the request body for the new HTTP POST request to the remote authorizer service, it cannot be sent to the upstream service even if the authorizer returns a 200 status code to allow the request. I am not a Go programer but i guess you need to modify the code to save a copy of the original request body before it is piped into the read end of the pipe and then send that saved copy to the target service if authorization succeeds.
The text was updated successfully, but these errors were encountered: