Jwt authn extention failure status (#24722)

* Introduce a new field, "failed_status_to_metadata" inside the JwtProvider for getting the JWT authentication failure inside the metadata. Signed-off-by: danield <danield@radware.com> Mirrored from https://github.com/envoyproxy/envoy @ 6be3c6edd98c113f0fd8d55f8928c5136a79b844
2 years ago · f93a4a6aef
parent cd65f0ee78
commit f93a4a6aef
1 changed files with 16 additions and 1 deletions
--- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto
+++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@ -53,7 +53,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 16]
+// [#next-free-field: 17]
 message JwtProvider {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
@ -270,6 +270,21 @@ message JwtProvider {
  //
  string header_in_metadata = 14;

+  // If non empty, the failure status `::google::jwt_verify::Status` for a non verified JWT will be written to StreamInfo DynamicMetadata
+  // in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn````
+  // The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
+  // and they will contain the JWT authentication failure status code and a message describing the failure.
+  //
+  // For example, if failed_status_in_metadata is ``my_auth_failure_status``:
+  //
+  // .. code-block:: yaml
+  //
+  //   envoy.filters.http.jwt_authn:
+  //     my_auth_failure_status:
+  //       code: 3
+  //       message: Jwt expired
+  string failed_status_in_metadata = 16;
+
  // Specify the clock skew in seconds when verifying JWT time constraint,
  // such as ``exp``, and ``nbf``. If not specified, default is 60 seconds.
  uint32 clock_skew_seconds = 10;