envoyproxy/gateway

Support setting allow_missing_or_invalid jwt_authn requirement from SecurityPolicy

Open

#9.251 geöffnet am 19. Juni 2026

Auf GitHub ansehen
 (4 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)Go (802 Forks)auto 404
help wantedkind/feature

Repository-Metriken

Stars
 (2.871 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

Description: When a SecurityPolicy applies JWT authentication, Envoy's jwt_authn filter rejects any request carrying a token it can't verify with a 401, even when another configured source supplies a valid JWT. This makes it impossible to accept a token from any of several sources when one of those sources holds a malformed token.

The specific scenario I am encountering this with is services that use a non-JWT access token in the Authorization: Bearer ... for their API. One solution is to extract the JWT from a different header, but this forces admins to reconfigure clients to use a non-canonical header - even when they dont need API access. Some clients (like Gatus) even have using Authorization: Bearer .. hardcoded.

Propose: Envoy's jwt_authn already supports this via the allow_missing_or_failed requirement, but Envoy Gateway never emits it: jwt.optional maps only to `allow_missing', which tolerates a missing token but still rejects a present but invalid one.

I would suggest a jwt.ignoreFailure flag (as opposed to jwt.allowMalformed suggested in #3081) on SecurityPolicy which maps directly to allow_missing_or_failed.

Let me know if you would like to see a MR for this.

Contributor Guide