Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support to extract from different identifier on JWT under Security Policy #2186

Closed
ardikabs opened this issue Nov 14, 2023 · 3 comments · Fixed by #2206
Closed

Add support to extract from different identifier on JWT under Security Policy #2186

ardikabs opened this issue Nov 14, 2023 · 3 comments · Fixed by #2206
Labels
area/api API-related issues area/policy help wanted Extra attention is needed kind/enhancement New feature or request

Comments

@ardikabs
Copy link
Contributor

ardikabs commented Nov 14, 2023
edited
Loading

Description:
Follow up from #1930.

Currently JWT only enables the default behavior to extract the JWT identifier from an HTTP request which uses Authorization header using Bearer format as well as query param using access_token.
Thus, in my current use case, the requirement states that the JWT needs to be extracted from the Cookie, but because EG does not support this, I have to modify it using the Envoy Gateway Extension service. Hence, it would be much better if EG could support this behavior directly.

Proposal:

Add support to extract the JWT identifier from available options such as from_cookies, from_headers, and/or from_params, while keeping the default behavior if there are no extractors included in the API.

We could introduce new fields for these additional extractors like below;

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: jwt-example
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: foo
  jwt:
    providers:
      - name: example
        remoteJWKS:
          uri: https://raw.githubusercontent.com/envoyproxy/gateway/main/examples/kubernetes/jwt/jwks.json
        fromCookies:
          - session_access_token
        fromParams:
          - access_token
        fromHeaders:
          - name: x-access-token
            valuePrefix: ""

[optional Relevant Links:]
@ardikabs ardikabs added the kind/enhancement New feature or request label Nov 14, 2023
@arkodg arkodg added help wanted Extra attention is needed area/policy area/api API-related issues labels Nov 14, 2023
@ardikabs
Copy link
Contributor Author

/assign

@ardikabs ardikabs changed the title Add support to parse from different identifier on JWT under Security Policy Add support to extract from different identifier on JWT under Security Policy Nov 18, 2023
@ardikabs ardikabs mentioned this issue Nov 18, 2023
Merged
@ardikabs
Copy link
Contributor Author

hi @arkodg, regarding #2206 (comment), apparently I have a use case now to support multiple extractors from headers (Authorization) or cookies, can I work on that and refer to this issue?

@arkodg
Copy link
Contributor

arkodg commented Jan 10, 2024
edited
Loading

sure go for it @ardikabs can you create a sub issue for it, will be easier to track, thanks

@ardikabs ardikabs mentioned this issue Jan 11, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api API-related issues area/policy help wanted Extra attention is needed kind/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add support to extract from different identifier on JWT ardikabs/envoy-gateway
2 participants
@arkodg @ardikabs