Support array claims in jwt claim_to_headers

[zakhenry]

Title: Support array claims in jwt claim_to_headers

Description:
Currently, envoy supports taking claims from an authenticated jwt, and converting them to headers that are passed to upstream services. This is a useful utility as it allows the jwt parsing & validation to be a concern of Envoy only, and upstream services can rely on the headers they receive as being validated.

However, there is a limitation cited in the documentation (and confirmed with testing):

The claim must be of type; string, int, double, bool. Array type claims are not supported

This feature request is to remove this limitation, and support array claims.

Use-case: it is quite common to put the jwt claim "scopes" as an array claim (e.g. https://developer.okta.com/docs/reference/api/oidc/#reserved-claims-in-the-header-section has claim scp as an array of strings)

Technical considerations
It would need to be worked out how exactly to handle array claim types. My suggestion would be to include the raw json value verbatim, and not care about the data type.

e.g. a jwt containing json field "scopes": ["foo", "bar"], with the following envoy config

claim_to_headers:
  - header_name: x-scopes
    claim_name: scopes

should be inserted as header value

x-scopes: ["foo", "bar"]

Relevant Links:

• https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto

[kyessenov]

CC @TAOXUY

[roquie]

Also, please, pass json objects as is:

Sample Zitadel decoded JWT:

{
  "amr": [
    "password",
    "pwd"
  ],
  "at_hash": "oHvNQcVM0svcxnfdzhWtPw",
  "aud": [
    "234779636431659907@example",
    "234779030656656259"
  ],
  "auth_time": 1697540033,
  "azp": "234779636431659907@example",
  "c_hash": "KaatvFoUnrIwUdOvxo5cKg",
  "client_id": "234779636431659907@example",
  "email": "[email protected]",
  "email_verified": true,
  "exp": 1697584173,
  "family_name": "Test",
  "given_name": "Test",
  "iat": 1697540965,
  "iss": "https://example.com",
  "locale": "en",
  "name": "Test Test",
  "nickname": "roquie",
  "preferred_username": "roquie",
  "sub": "235783475548972655",
  "updated_at": 1697033904,
  "urn:zitadel:iam:org:project:roles": {
    "webmaster": {
      "234723879451425215": "example-dev.sso.dev.example.com"
    }
  }
}

Envoy config:

providers:
  provider_name:
    issuer: https://example.com
    claim_to_headers:
    - header_name: x-jwt-claim-sub
      claim_name: sub # works
    - header_name: x-jwt-claim-role
      claim_name: urn:zitadel:iam:org:project:roles.webmaster.234723879451425215 # works
    - header_name: x-jwt-claim-roles
      claim_name: urn:zitadel:iam:org:project:roles # NOT works, but expected {"webmaster": {"234723879451425215":"example-dev.sso.dev.example.com"}

Can also help with that case?

[zakhenry]

Agreed, this original request was for an array claim of primitives, but probably the real request would be to pass these claims through verbatim as a json string if they aren't in the currently supported data types, rather than dropping the claim.

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.