jwt_authn: Add config/functionality to strip failure response details (#34618)

JWT Authentication filter returns a 401 response with the details of failure back to client. It also sets the WWWAuthenticate header with "invalid token". Addition of this config would allow stripping these response details and return a 401 which would help with limiting unintended data leakage.

Risk Level: Low
Testing: Integration & Manual testing
Docs Changes: Done
Release Notes: Done
Fixes #34474

Signed-off-by: Arul Thileeban Sagayam <arul.thilee@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ 9df04137f02e1da97528bb739df462aaab983697

envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -729,7 +729,7 @@ message FilterStateRule {
 //              - provider_name: provider1
 //              - provider_name: provider2
 //
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message JwtAuthentication {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication";
@@ -802,6 +802,11 @@ message JwtAuthentication {
   // :ref:`requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name>`
   // in ``PerRouteConfig`` uses this map to specify a JwtRequirement.
   map<string, JwtRequirement> requirement_map = 5;
+
+  // A request failing the verification process will receive a 401 downstream with the failure response details
+  // in the body along with WWWAuthenticate header value set with "invalid token". If this value is set to true,
+  // the response details will be stripped and only a 401 response code will be returned. Default value is false
+  bool strip_failure_response = 6;
 }
 
 // Specify per-route config.