From 765f5cf77357e247f192ccb7bffec20764be8f30 Mon Sep 17 00:00:00 2001
From: "data-plane-api(Azure Pipelines)"
 <data-plane-api@users.noreply.github.com>
Date: Wed, 16 Mar 2022 06:39:51 +0000
Subject: [PATCH] jwt_authn: fix a bug where empty iss field is handled
 incorrectly (#20279)

If "issuer" in the JwtProvider config is specified, it has to match "iss" field in the JWT.   But current implementation has a bug where if "iss" is empty,  it is not checked.

Risk Level:   Low,  only impact users with empty "iss" JWT.
Testing:  Unit-tested
Docs Changes:  None
Release Notes:  Yes

Signed-off-by: Wayne Zhang <qiwzhang@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 336fcf9b1105fcb2581a59811c0029f8899c63c2
---
 envoy/extensions/filters/http/jwt_authn/v3/config.proto | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
index 65ddd88e..7b535d26 100644
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@@ -61,10 +61,8 @@ message JwtProvider {
   // Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
   // the JWT, usually a URL or an email address.
   //
-  // It is optional. If specified, it has to match the *iss* field in JWT.
-  //
-  // If a JWT has *iss* field and this field is specified, they have to match, otherwise the
-  // JWT *iss* field is not checked.
+  // It is optional. If specified, it has to match the *iss* field in JWT,
+  // otherwise the JWT *iss* field is not checked.
   //
   // Note: *JwtRequirement* :ref:`allow_missing <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing>`
   // and :ref:`allow_missing_or_failed <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtRequirement.allow_missing_or_failed>`