From f93a4a6aef440d647d62e4f19b0b003c84f25075 Mon Sep 17 00:00:00 2001 From: "data-plane-api(Azure Pipelines)" Date: Wed, 15 Feb 2023 13:44:00 +0000 Subject: [PATCH] Jwt authn extention failure status (#24722) * Introduce a new field, "failed_status_to_metadata" inside the JwtProvider for getting the JWT authentication failure inside the metadata. Signed-off-by: danield Mirrored from https://github.com/envoyproxy/envoy @ 6be3c6edd98c113f0fd8d55f8928c5136a79b844 --- .../filters/http/jwt_authn/v3/config.proto | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/envoy/extensions/filters/http/jwt_authn/v3/config.proto index a4100361..11e6af45 100644 --- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -53,7 +53,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // cache_duration: // seconds: 300 // -// [#next-free-field: 16] +// [#next-free-field: 17] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"; @@ -270,6 +270,21 @@ message JwtProvider { // string header_in_metadata = 14; + // If non empty, the failure status `::google::jwt_verify::Status` for a non verified JWT will be written to StreamInfo DynamicMetadata + // in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` + // The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message`` + // and they will contain the JWT authentication failure status code and a message describing the failure. + // + // For example, if failed_status_in_metadata is ``my_auth_failure_status``: + // + // .. code-block:: yaml + // + // envoy.filters.http.jwt_authn: + // my_auth_failure_status: + // code: 3 + // message: Jwt expired + string failed_status_in_metadata = 16; + // Specify the clock skew in seconds when verifying JWT time constraint, // such as ``exp``, and ``nbf``. If not specified, default is 60 seconds. uint32 clock_skew_seconds = 10;