Issue with device identity

What happened?

I upgrade to the latest release 0.17.1 and was able to register new device using hardware token by visiting https:///.pomerium and going to register new device. I can see the registered device but it says that the current session has no registered device. Every time I register new device, it says current session - no device credentials found.

Then if I visit a page that has route configured to use device identity, I go through the process of authenticating the device but never get redirected to the actual service

image1043×330 11.9 KB

ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"<domain>"}},{"device":{"type":"any"}}]}}]'

I get this in logs:

{"level":"info","X-Forwarded-For":["10.240.0.4,127.0.0.6"],"X-Forwarded-Proto":["http"],"ip":"127.0.0.1","user_agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","referer":"https://authenticate.pomerium.<domain>/.pomerium/webauthn?pomerium_device_type=any&pomerium_expiry=1649374618&pomerium_issued=1649374318&pomerium_redirect_uri=https%3A%2F%2Fcustomer.yaobank.pomerium.<domain>%2F&pomerium_signature=wYviOil6dM7lL7471fq1x3gF64LlQgrCFREaKc7ZX_s%3D","request-id":"7a28303d-63b9-4eba-8d89-f39a1b82aa22","error":"internal/urlutil: hmac failed","time":"2022-04-07T23:32:12Z","message":"authenticate: origin blocked"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"POST","authority":"pomerium-authenticate.pomerium.svc.cluster.local","path":"/.pomerium/webauthn","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","referer":"https://authenticate.pomerium.<domain>/.pomerium/webauthn","forwarded-for":"10.240.0.4,127.0.0.6","request-id":"7a28303d-63b9-4eba-8d89-f39a1b82aa22","duration":68.739798,"size":0,"response-code":302,"response-code-details":"via_upstream","time":"2022-04-07T23:32:13Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium-authenticate.pomerium.svc.cluster.local","path":"/.pomerium/webauthn","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","referer":"","forwarded-for":"10.240.0.4,127.0.0.6","request-id":"a9a6f144-f200-48e7-83ef-13dc40177e9a","duration":31.757867,"size":1106,"response-code":200,"response-code-details":"via_upstream","time":"2022-04-07T23:32:13Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium-authenticate.pomerium.svc.cluster.local","path":"/.pomerium/index.css","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","referer":"https://authenticate.pomerium.<domain>/.pomerium/webauthn","forwarded-for":"10.240.0.4,127.0.0.6","request-id":"11ea7744-b57b-4c1e-8a38-d009ffc81c2b","duration":8.14394,"size":0,"response-code":304,"response-code-details":"via_upstream","time":"2022-04-07T23:32:13Z","message":"http-request"}
{"level":"info","service":"envoy","upstream-cluster":"pomerium-control-plane-http","method":"GET","authority":"pomerium-authenticate.pomerium.svc.cluster.local","path":"/.pomerium/index.js","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.60 Safari/537.36","referer":"https://authenticate.pomerium.<domain>/.pomerium/webauthn","forwarded-for":"10.240.0.4,127.0.0.6","request-id":"61495c2d-6c02-44da-aef0-59bf268917fb","duration":7.698633,"size":0,"response-code":304,"response-code-details":"via_upstream","time":"2022-04-07T23:32:13Z","message":"http-request"

Sorry I’ve not seen this behavior before. Perhaps the hmac failed error is the reason. This can happen if one of the URLs in the configuration doesn’t match how the user is accessing the endpoint - often the result of additional load balancers sitting in front of pomerium. It can also happen if the shared key isn’t the same everywhere.

Can you provide more details about your configuration?

I would understand if I initially registered from one device but then tried to connect from a different one. What I experience is that when I register a new device it succeeds but still says Current Session has no registered device id. And every time I try to register a new device or authenticate an existing device, they show up under Previous Sessions and nothing under Current Session. I believe this is the problem.

Hi @HighWatersDev - can you provide details about your configuration so we can help address your issue?

Here’s my pomerium config:

image:
  tag: v0.17.1
authenticate:
  deployment:
    podAnnotations:
      inject.istio.io/templates: sidecar,spire
  idp:
    provider: auth0
    url: https://<...>.auth0.com
    clientID: REDACTED
    clientSecret: REDACTED
    serviceAccount: REDACTED
  ingress:
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-prod
    tls:
      secretName: authenticate.pomerium-tls
authorize:
  deployment:
    podAnnotations:
      inject.istio.io/templates: sidecar,spire
proxy:
  cookie_secret: REDACTED
  deployment:
    podAnnotations:
      inject.istio.io/templates: sidecar,spire
      traffic.sidecar.istio.io/excludeInboundPorts: "80,443"
redis:
  enabled: true
  tls:
    enabled: false
  master:
    podAnnotations:
      inject.istio.io/templates: sidecar,spire
  replica:
    podAnnotations:
      inject.istio.io/templates: sidecar,spire
databroker:
  deployment:
    podAnnotations:
      inject.istio.io/templates: sidecar,spire
ingress:
  enabled: false

ingressController:
  enabled: true
  deployment:
    podAnnotations:
      inject.istio.io/templates: sidecar,spire

service:
  authorize:
    headless: false
  databroker:
    headless: false

config:
  sharedSecret: REDACTED
  rootDomain: pomerium.example.com
  generateTLS: false
  insecure: true

And here’s the service I’m trying to access:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-device-identity
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    ingress.pomerium.io/policy: '[{"allow":{"and":[{"domain":{"is":"example.com"}},{"device":{"type":"any"}}]}}]'
    ingress.pomerium.io/pass_identity_headers: "true"
spec:
  ingressClassName: pomerium
  rules:
  - host: hello-secret.pomerium.example.com
    http:
      paths:
      - backend:
          service:
            name: nginx-secret
            port:
              name: http
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - hello-secret.pomerium.example.com
    secretName: hello-secret.pomerium-tls
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: nginx-secret-require-pomerium-jwt
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: nginx
  jwtRules:
  - issuer: "authenticate.pomerium.example.com"
    audiences:
      - hello-secret.pomerium.example.com
    fromHeaders:
      - name: "X-Pomerium-Jwt-Assertion"
    jwksUri: https://authenticate.pomerium.example.com/.well-known/pomerium/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: nginx-secret-require-pomerium-jwt
spec:
  selector:
    matchLabels:
      app.kubernetes.io/name: nginx-secret
  action: ALLOW
  rules:
  - when:
    - key: request.auth.claims[aud]
      values: ["hello-secret.pomerium.example.com"]
---

All other services (that do not use device identity) work as expected

Hi @HighWatersDev ,

We recently discovered a bug which may be leading to this issue: authorize: pass idp id for webauthn url, allow unauthenticated access to static files by calebdoxsey · Pull Request #3282 · pomerium/pomerium · GitHub . Though I don’t believe the changes that would lead to the problem were 0.17, so maybe its unrelated.

I’ve never tried to use device authentication with Istio (I’ve never tried to use Pomerium with Istio at all). This will require further investigation so that we can attempt to reproduce.

I just tried it by upgrading the image to v0.17.2 but still facing the same behavior.