jwt_authn: Add config/functionality to strip failure response details (#34618)

JWT Authentication filter returns a 401 response with the details of failure back to client. It also sets the WWWAuthenticate header with "invalid token". Addition of this config would allow stripping these response details and return a 401 which would help with limiting unintended data leakage. Risk Level: Low Testing: Integration & Manual testing Docs Changes: Done Release Notes: Done Fixes #34474 Signed-off-by: Arul Thileeban Sagayam <arul.thilee@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 9df04137f02e1da97528bb739df462aaab983697
5 months ago · cbbec7dbab
parent caf2e54454
commit cbbec7dbab
1 changed files with 6 additions and 1 deletions
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@ -729,7 +729,7 @@ message FilterStateRule {
 //              - provider_name: provider1
 //              - provider_name: provider2
 //
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message JwtAuthentication {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication";
@ -802,6 +802,11 @@ message JwtAuthentication {
  // :ref:`requirement_name <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.PerRouteConfig.requirement_name>`
  // in ``PerRouteConfig`` uses this map to specify a JwtRequirement.
  map<string, JwtRequirement> requirement_map = 5;
+
+  // A request failing the verification process will receive a 401 downstream with the failure response details
+  // in the body along with WWWAuthenticate header value set with "invalid token". If this value is set to true,
+  // the response details will be stripped and only a 401 response code will be returned. Default value is false
+  bool strip_failure_response = 6;
 }

 // Specify per-route config.