Support setting allow_missing_or_invalid jwt_authn requirement from SecurityPolicy
#9.251 geöffnet am 19. Juni 2026
Repository-Metriken
- Stars
- (2.871 Stars)
- PR-Merge-Metriken
- (PR-Metriken ausstehend)
Beschreibung
Description: When a SecurityPolicy applies JWT authentication, Envoy's jwt_authn filter rejects any request carrying a token it can't verify with a 401, even when another configured source supplies a valid JWT. This makes it impossible to accept a token from any of several sources when one of those sources holds a malformed token.
The specific scenario I am encountering this with is services that use a non-JWT access token in the Authorization: Bearer ... for their API. One solution is to extract the JWT from a different header, but this forces admins to reconfigure clients to use a non-canonical header - even when they dont need API access. Some clients (like Gatus) even have using Authorization: Bearer .. hardcoded.
Propose:
Envoy's jwt_authn already supports this via the allow_missing_or_failed requirement, but Envoy Gateway never emits it: jwt.optional maps only to `allow_missing', which tolerates a missing token but still rejects a present but invalid one.
I would suggest a jwt.ignoreFailure flag (as opposed to jwt.allowMalformed suggested in #3081) on SecurityPolicy which maps directly to allow_missing_or_failed.
Let me know if you would like to see a MR for this.