envoyproxy/envoy

JWT claim extraction without signature validation?

Open

#39,930 建立於 2025年6月17日

在 GitHub 查看
 (13 留言) (0 反應) (1 負責人)C++ (5,373 fork)batch import
area/jwt_authnenhancementhelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

Hi, I'm working on a rate limiting use case where I need to extract claims from JWTs and pass them as headers to upstream services, but I don't need (or want) signature validation.

My situation:

  • Need to extract claims like username, plan_name, etc. and forward as HTTP headers
  • Upstream service does not support JWKS at this time
  • Currently using a Lua filter to parse JWT manually, but would prefer using the built-in JWT filter

Question: Is there any way to configure the envoy.filters.http.jwt_authn filter to extract JWT claims to headers WITHOUT validating the signature?

I've tried setting up the JWT filter with empty JWKS and allow_missing_or_failed, but I get "Jwt header [alg] is not supported" errors.

Thanks!

貢獻者指南