jwt_authn: Allow to extract keys from jwt struct claims #30377
Conversation
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Reflejo
force-pushed
the
fz/jwt_list_keys
branch
from
4b19ea1 to
4995f39
Compare
Added a new field `list_claim_keys` on
:ref:`claim_to_headers <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.claim_to_headers>`
to extract keys from JWT token claims. This field enables the retrieval of keys
from custom JWT token claims, such as `{"tenants": {"bitdrift": {}}` (in this
case a claim_name of `tenants would extract the key "bitdrift").
Signed-off-by: Martin Conte Mac Donell <[email protected]>
Reflejo
force-pushed
the
fz/jwt_list_keys
branch
from
4995f39 to
6f34676
Compare
Signed-off-by: Martin Conte Mac Donell <[email protected]>
Reflejo
force-pushed
the
fz/jwt_list_keys
branch
from
ef00b91 to
805e94c
Compare
Signed-off-by: Martin Conte Mac Donell <[email protected]>
Reflejo
changed the title
|
CC @kyessenov |
There was a problem hiding this comment.
At a high level this seems like a useful feature, however I'm wondering if it would be more future proof to have an option to pack the entire struct into the header, vs. being specific about a list.
For example, you could take the struct and base64 encode the JSON. Or pack it in a proto stuct and base64 that.
Thoughts @lizan @kyessenov ?
|
@Reflejo can you elaborate your exact use case for this? I would like the API to be more generic / future proof and not specific about a list. But would like to know where this implementation is coming from. /wait:any |
|
@lizan The use-case is many authentication providers nowadays send custom claims on JWT tokens that are formatted as per my example: Basically they do this as a way of sending lists. Our specific use-case is, we need to extract the tenants from the jwt and forward them to the service as a header. I wouldn't mind changing my PR to define a |
|
Unless there's a common RFC that requires this encoding, I think I mostly agree with Matt's proposal - either encoding the whole JWT sub-struct as a header, or a separate extension that computes the header from dynamic metadata would be better. |
Reflejo
force-pushed
the
fz/jwt_list_keys
branch
from
c281aa7 to
7dd9b48
Compare
Signed-off-by: Martin Conte Mac Donell <[email protected]>
Reflejo
force-pushed
the
fz/jwt_list_keys
branch
from
7dd9b48 to
30a66fd
Compare
|
@kyessenov @lizan @mattklein123 updated the PR implementing the proposed solution (serializing objects). The reason I added the flag |
|
The last change looks good to me. I'm not sure it deserves an API flag since it's a new feature with a reasonable default (don't expect this header to blow up since it's always a subset of JWT). |
|
Related: #30072 |
I had mentioned to @Reflejo offline that I could probably lose the API change as well, but I don't feel strongly either way. This is certainly safer. I suppose if we wanted to limit the API change we could runtime guard instead. I'm fine either way. This LGTM. @lizan? |
Signed-off-by: Martin Conte Mac Donell <[email protected]>
|
ok removed the flag, this should be ready to go |
Commit Message: Allow to extract object from jwt struct claims
Additional Description:
Serialize non-primitive custom claim objects from JWT tokens. The JWT filter will now serialize these claim as JSON and encode it to Base64.
Risk Level: Low
Testing: unit test
Docs Changes: Updated
docs/root/configuration/http/http_filters/jwt_authn_filter.rstRelease Notes: Updated
changelogs/current.yaml