envoyproxy/gateway

Support setting allow_missing_or_invalid jwt_authn requirement from SecurityPolicy

Open

#9251 aperta il 19 giu 2026

Vedi su GitHub
 (4 commenti) (0 reazioni) (0 assegnatari)Go (802 fork)auto 404
help wantedkind/feature

Metriche repository

Star
 (2871 star)
Metriche merge PR
 (Metriche PR in attesa)

Descrizione

Description: When a SecurityPolicy applies JWT authentication, Envoy's jwt_authn filter rejects any request carrying a token it can't verify with a 401, even when another configured source supplies a valid JWT. This makes it impossible to accept a token from any of several sources when one of those sources holds a malformed token.

The specific scenario I am encountering this with is services that use a non-JWT access token in the Authorization: Bearer ... for their API. One solution is to extract the JWT from a different header, but this forces admins to reconfigure clients to use a non-canonical header - even when they dont need API access. Some clients (like Gatus) even have using Authorization: Bearer .. hardcoded.

Propose: Envoy's jwt_authn already supports this via the allow_missing_or_failed requirement, but Envoy Gateway never emits it: jwt.optional maps only to `allow_missing', which tolerates a missing token but still rejects a present but invalid one.

I would suggest a jwt.ignoreFailure flag (as opposed to jwt.allowMalformed suggested in #3081) on SecurityPolicy which maps directly to allow_missing_or_failed.

Let me know if you would like to see a MR for this.

Guida contributor