envoyproxy/envoy
View on GitHubJWT claim extraction without signature validation?
Open
#39,930 opened on Jun 17, 2025
area/jwt_authnenhancementhelp wanted
Repository metrics
- Stars
- (27,997 stars)
- PR merge metrics
- (Avg merge 8d) (378 merged PRs in 30d)
Description
Hi, I'm working on a rate limiting use case where I need to extract claims from JWTs and pass them as headers to upstream services, but I don't need (or want) signature validation.
My situation:
- Need to extract claims like
username,plan_name, etc. and forward as HTTP headers - Upstream service does not support JWKS at this time
- Currently using a Lua filter to parse JWT manually, but would prefer using the built-in JWT filter
Question:
Is there any way to configure the envoy.filters.http.jwt_authn filter to extract JWT claims to headers WITHOUT validating the signature?
I've tried setting up the JWT filter with empty JWKS and allow_missing_or_failed, but I get "Jwt header [alg] is not supported" errors.
Thanks!