area/jwt_authnenhancementhelp wanted
Métricas do repositório
- Stars
- (27.997 stars)
- Métricas de merge de PR
- (Mesclagem média 8d) (378 fundiu PRs em 30d)
Description
Support OIDC Discovery in jwt_authn filter: The jwt_authn filter should detect if the OIDC IDP supports discovery, and if so, automatically fetch the verification JWKs without configuration
Description: OpenID Connect Discovery allows the relying party (Envoy, in this case) to automatically fetch the JWKs needed to verify a JWT given nothing more than the issuer URL. This is supported by most(?) OIDC IDPs, including Google and Kubernetes clusters.
The way it works is:
- The issuer sets the
issclaim to a publicly-fetchable URL in all the JWTs it issues. For example, for Google-issued JWTs, this ishttps://accounts.google.com. - The relying party checks that the
issclaim is a value that it expects. - The relying party appends
/.well-known/openid-configurationto the URL in theissclaim. - The relying party fetches the discovery document using a GET request.
- The relying party reads the
jwks_urifield from the returned JSON document. - The relying party fetches the JWKs using another GET request.
- This process repeats whenever the relying party wants to expire its cached verification JWKs, or when it encounters a token with a known
issclaim, but an unrecognizedkid(key id) header claim.
Ideally, this would drop the necessary configuration down to something like:
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
google_provider:
issuer: https://accounts.google.com
remote_jwks:
discovery_cluster: oidc-discovery-cluster # Cluster with settings for making the discovery requests.
cache_duration: 3600s
audiences:
- "my-audience"
claim_to_headers:
- claim_name: sub
header_name: x-google-subject
rules:
- match: { prefix: "/" }
requires:
provider_name: google_provider
Relevant Links: