jwt_authn: Add header_to_metadata (#18140)

This patch adds header_to_metadata field to JwtProvider config to allow setting the extracted header of a successfully verified JWT to dynamic metadata. Signed-off-by: Dhi Aurrahman <dio@rockybars.com> Mirrored from https://github.com/envoyproxy/envoy @ 25622ce26532ad42d93a383d48b6c86d9e28d3d2
3 years ago · 8479c4bff0
parent bbe9e507cd
commit 8479c4bff0
1 changed files with 41 additions and 1 deletions
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@ -52,7 +52,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message JwtProvider {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
@ -231,6 +231,46 @@ message JwtProvider {
  //
  string payload_in_metadata = 9;

+  // If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
+  // a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
+  // as an entry (``protobuf::Struct``) in **envoy.filters.http.jwt_authn** *namespace* with the
+  // value of this field as the key.
+  //
+  // For example, if ``header_in_metadata`` is *my_header*:
+  //
+  // .. code-block:: yaml
+  //
+  //   envoy.filters.http.jwt_authn:
+  //     my_header:
+  //       alg: JWT
+  //       kid: EF71iSaosbC5C4tC6Syq1Gm647M
+  //       alg: PS256
+  //
+  // When the metadata has **envoy.filters.http.jwt_authn** entry already (for example if
+  // :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
+  // is not empty), it will be inserted as a new entry in the same *namespace* as shown below:
+  //
+  // .. code-block:: yaml
+  //
+  //   envoy.filters.http.jwt_authn:
+  //     my_payload:
+  //       iss: https://example.com
+  //       sub: test@example.com
+  //       aud: https://example.com
+  //       exp: 1501281058
+  //     my_header:
+  //       alg: JWT
+  //       kid: EF71iSaosbC5C4tC6Syq1Gm647M
+  //       alg: PS256
+  //
+  // .. warning::
+  //   Using the same key name for :ref:`header_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
+  //   and :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`
+  //   is not suggested due to potential override of existing entry, while it is not enforced during
+  //   config validation.
+  //
+  string header_in_metadata = 14;
+
  // Specify the clock skew in seconds when verifying JWT time constraint,
  // such as `exp`, and `nbf`. If not specified, default is 60 seconds.
  uint32 clock_skew_seconds = 10;