envoyproxy/gateway

Support setting allow_missing_or_invalid jwt_authn requirement from SecurityPolicy

Open

#9,251 opened on 2026年6月19日

GitHub で見る
 (4 comments) (0 reactions) (0 assignees)Go (802 forks)auto 404
help wantedkind/feature

Repository metrics

Stars
 (2,871 stars)
PR merge metrics
 (PR metrics pending)

説明

Description: When a SecurityPolicy applies JWT authentication, Envoy's jwt_authn filter rejects any request carrying a token it can't verify with a 401, even when another configured source supplies a valid JWT. This makes it impossible to accept a token from any of several sources when one of those sources holds a malformed token.

The specific scenario I am encountering this with is services that use a non-JWT access token in the Authorization: Bearer ... for their API. One solution is to extract the JWT from a different header, but this forces admins to reconfigure clients to use a non-canonical header - even when they dont need API access. Some clients (like Gatus) even have using Authorization: Bearer .. hardcoded.

Propose: Envoy's jwt_authn already supports this via the allow_missing_or_failed requirement, but Envoy Gateway never emits it: jwt.optional maps only to `allow_missing', which tolerates a missing token but still rejects a present but invalid one.

I would suggest a jwt.ignoreFailure flag (as opposed to jwt.allowMalformed suggested in #3081) on SecurityPolicy which maps directly to allow_missing_or_failed.

Let me know if you would like to see a MR for this.

コントリビューターガイド