jwt_authn: fix a bug where empty iss field is handled incorrectly (#20279)

If "issuer" in the JwtProvider config is specified, it has to match "iss" field in the JWT. But current implementation has a bug where if "iss" is empty, it is not checked. Risk Level: Low, only impact users with empty "iss" JWT. Testing: Unit-tested Docs Changes: None Release Notes: Yes Signed-off-by: Wayne Zhang <qiwzhang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 336fcf9b1105fcb2581a59811c0029f8899c63c2
3 years ago · 765f5cf773
parent 988fdd636b
commit 765f5cf773
1 changed files with 2 additions and 4 deletions
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@ -61,10 +61,8 @@ message JwtProvider {
  // Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
  // the JWT, usually a URL or an email address.
  //
-  // It is optional. If specified, it has to match the *iss* field in JWT.
-  //
-  // If a JWT has *iss* field and this field is specified, they have to match, otherwise the
-  // JWT *iss* field is not checked.
+  // It is optional. If specified, it has to match the *iss* field in JWT,
+  // otherwise the JWT *iss* field is not checked.
  //
  // Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
  // and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`