Skip to content

Commit

Permalink
api: useForRouting field in JWT
Browse files Browse the repository at this point in the history
Add a field called `useForRouting` that signals to Envoy Gateway
that the headers generated from the claims are used to make routing
decisions

Internally this field will be used to
* insert a catch-all route with a 404 direct response
identical to envoyproxy#2586 which
makes sure the jwt filter with `claimToHeader` is applied before
recomputing routing decision
* enable `clear_route_cache` to recompute routing decision
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/jwt_authn/v3/config.proto#extensions-filters-http-jwt-authn-v3-jwtprovider

Relates to envoyproxy#2452

Signed-off-by: Arko Dasgupta <[email protected]>
  • Loading branch information
arkodg committed Feb 23, 2024
1 parent fc7d6bc commit 05eaef6
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 1 deletion.
4 changes: 4 additions & 0 deletions api/v1alpha1/jwt_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,10 @@ type ClaimToHeader struct {
// (eg. "claim.nested.key", "sub"). The nested claim name must use dot "."
// to separate the JSON name path.
Claim string `json:"claim"`

// UseForRouting must be enabled if this header generated from the claim should be used for
// route matching decisions
UseForRouting *bool `json:"useForRouting,omitempty"`
}

// JWTExtractor defines a custom JWT token extraction from HTTP request.
Expand Down
9 changes: 8 additions & 1 deletion api/v1alpha1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions site/content/en/latest/api/extension_types.md
Original file line number Diff line number Diff line change
Expand Up @@ -245,6 +245,7 @@ _Appears in:_
| --- | --- | --- | --- |
| `header` | _string_ | true | Header defines the name of the HTTP request header that the JWT Claim will be saved into. |
| `claim` | _string_ | true | Claim is the JWT Claim that should be saved into the header : it can be a nested claim of type (eg. "claim.nested.key", "sub"). The nested claim name must use dot "." to separate the JSON name path. |
| `useForRouting` | _boolean_ | true | UseForRouting must be enabled if this header generated from the claim should be used for route matching decisions |


#### ClientIPDetectionSettings
Expand Down

0 comments on commit 05eaef6

Please sign in to comment.