Support setting allow_missing_or_invalid jwt_authn requirement from SecurityPolicy
#9,251 opened on 2026年6月19日
Repository metrics
- Stars
- (2,871 stars)
- PR merge metrics
- (PR metrics pending)
説明
Description: When a SecurityPolicy applies JWT authentication, Envoy's jwt_authn filter rejects any request carrying a token it can't verify with a 401, even when another configured source supplies a valid JWT. This makes it impossible to accept a token from any of several sources when one of those sources holds a malformed token.
The specific scenario I am encountering this with is services that use a non-JWT access token in the Authorization: Bearer ... for their API. One solution is to extract the JWT from a different header, but this forces admins to reconfigure clients to use a non-canonical header - even when they dont need API access. Some clients (like Gatus) even have using Authorization: Bearer .. hardcoded.
Propose:
Envoy's jwt_authn already supports this via the allow_missing_or_failed requirement, but Envoy Gateway never emits it: jwt.optional maps only to `allow_missing', which tolerates a missing token but still rejects a present but invalid one.
I would suggest a jwt.ignoreFailure flag (as opposed to jwt.allowMalformed suggested in #3081) on SecurityPolicy which maps directly to allow_missing_or_failed.
Let me know if you would like to see a MR for this.