Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft: feat(translation): expand sources of JWKS required to validate JWTs #4684

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

sgargan
Copy link
Contributor

@sgargan sgargan commented Nov 8, 2024

Currently only HTTPS endpoints are supported via remoteJWKS field of the JWTProvider. This is deprecated in favour of a jwksSource field that expands the available locations JWKS content can be retrieved from. Sources include an inline string in the source resource, a local file in the Gateway Container or from a Configmap/Secret.

This is a draft of the proposed JWKSource structure for discussion ahead of implentation.

Fixes #2419

@sgargan sgargan requested a review from a team as a code owner November 8, 2024 15:29
…required to validate JWTs

Currently only HTTPS endpoints are supported via remoteJWKS field of
the JWTProvider. This is deprecated in favor of a jwksSource field that
expands the available locations JWKS content can be retireved from.
Sources include an inline string in the source resource, a local file
in the Gateway Container or from a Configmap/Secret.

Signed-off-by: Steve Gargan <[email protected]>
@sgargan sgargan force-pushed the sgargan-jwks-sources branch from 64ac449 to f7a8756 Compare November 8, 2024 15:30
// Inline, URI and Configmap/Secret contents are supported.
//
// +optional
JWKSSource *JWKSSource `json:"jwksSource"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the jwks.Type idea !
we have been meaning to also add a backendRefs field to remoteJwks so upstream connection/traffic parameters can be controlled, relates to #3536

so the 2 options here are

  1. Represent backendRefs as a Type
  2. Keep the remoteJwks field, and add a new one localJwks to support the inline and valueRef cases

cc @envoyproxy/gateway-maintainers

Copy link
Member

@zhaohuabing zhaohuabing Nov 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for 2 as the structure is more straightfoward and less levels. It's a bit messy to add BackendCluster, URL, inline, and valueRef in a single structure.

      remoteJWKS:
        backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: backend-fqdn
          port: 443
        backendSettings:
          retry:
            numRetries: 3
            perRetry:
              backOff:
                baseInterval: 1s
                maxInterval: 5s
            retryOn:
              triggers: ["5xx", "gateway-error", "reset"]
      localJWKS:
        type: inline
        vaule: xxxxxxx

    jwksSource:
      type: BackendCluster
      backendCluster:
        backendRefs:
        - group: gateway.envoyproxy.io
          kind: Backend
          name: backend-fqdn
          port: 443
        backendSettings:
          retry:
            numRetries: 3
            perRetry:
              backOff:
                baseInterval: 1s
                maxInterval: 5s
            retryOn:
              triggers: ["5xx", "gateway-error", "reset"]

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 for 2

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for sharing your thoughts folks, lets go with 2.

@zhaohuabing
Copy link
Member

@sgargan link error:

Error: ./api/v1alpha1/jwt_types.go:28: specfied ==> specified

@zhaohuabing
Copy link
Member

Hi @sgargan, I wanted to check in and see if you’re planning to continue working on this?

@sgargan
Copy link
Contributor Author

sgargan commented Dec 12, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Consider supporting localJWKS for JWT Authentication
4 participants