Allow configuring JWT filter fetch behavior and failed refetch duration
#6 525 ouverte le 15 juil. 2025
Métriques du dépôt
- Stars
- (2 871 stars)
- Métriques de merge PR
- (Métriques PR en attente)
Description
Description:
Currently, Envoy Gateway hardcodes the use of async_fetch when generating the JWT HTTP filter XDS configuration code link. Additionally, it does not provide a mechanism to configure the failed_refetch_duration field in the JWT filter.
As a result, when the JWKS server becomes temporarily unavailable, Envoy starts retrying indefinitely without any backoff or configurable delay, which can overwhelm the Identity Provider (IdP) infrastructure. The retry policy configuration has no effect on the remote_jwks when async_fetch mode enabled: envoyproxy/envoy#40025.
Request
Envoy Gateway's SecurityPolicy or equivalent configuration should support:
- An option to opt-out of
async_fetchand fall back tosync_fetch. - A way to configure
failed_refetch_durationto control the retry behavior when JWKS fetches fail.
This would provide users better resilience and control over how Envoy handles temporarily unreachable JWKS endpoints, especially in production environments where repeated retries can have cascading effects on upstream systems.