jwt_authn: add clear routing and space-delimited claim support (API) (#30356)

API to address gaps with the downstream Istio filter to finish upstreaming. Issue: #29681 Signed-off-by: Kuat Yessenov <kuat@google.com> Mirrored from https://github.com/envoyproxy/envoy @ e9366f2b34be537b1b30ed17a4fd75b4715b5990
1 year ago · cdb43f6559
parent ea643c6f30
commit cdb43f6559
1 changed files with 28 additions and 2 deletions
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@ -53,11 +53,23 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 17]
+// [#next-free-field: 19]
 message JwtProvider {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";

+  // Alters the payload representation in the request dynamic metadata to facilitate its use in matching.
+  message NormalizePayload {
+    // Each claim in this list will be interpreted as a space-delimited string
+    // and converted to a list of strings based on the delimited values.
+    // Example: a token with a claim ``scopes: "email profile"`` is translated
+    // to dynamic metadata  ``scopes: ["email", "profile"]`` if this field is
+    // set value ``["scopes"]``. This special handling of ``scopes`` is
+    // recommended by `RFC8693
+    // <https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim>`_.
+    repeated string space_delimited_claims = 1;
+  }
+
  // Specify the `principal <https://tools.ietf.org/html/rfc7519#section-4.1.1>`_ that issued
  // the JWT, usually a URL or an email address.
  //
@ -230,6 +242,10 @@ message JwtProvider {
  //
  string payload_in_metadata = 9;

+  // [#not-implemented-hide:]
+  // Normalizes the payload representation in the request metadata.
+  NormalizePayload normalize_payload_in_metadata = 18;
+
  // If not empty, similar to :ref:`payload_in_metadata <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>`,
  // a successfully verified JWT header will be written to :ref:`Dynamic State <arch_overview_data_sharing_between_filters>`
  // as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the
@ -302,8 +318,18 @@ message JwtProvider {
  //     - name: x-jwt-claim-nested-claim
  //       claim: claim.nested.key
  //
-  // This header is only reserved for jwt claim; any other value will be overwrite.
+  // This header is only reserved for jwt claim; any other value will be overwritten.
  repeated JwtClaimToHeader claim_to_headers = 15;
+
+  // [#not-implemented-hide:]
+  // Clears route cache in order to allow JWT token to correctly affect
+  // routing decisions. Filter clears all cached routes when:
+  //
+  // 1. The field is set to ``true``.
+  //
+  // 2. At least one ``claim_to_headers`` header is added to the request.
+  //
+  bool clear_route_cache = 17;
 }

 // This message specifies JWT Cache configuration.