diff --git a/api/v1alpha1/jwt_types.go b/api/v1alpha1/jwt_types.go
index f0bdd7d6f75..945ab68ae60 100644
--- a/api/v1alpha1/jwt_types.go
+++ b/api/v1alpha1/jwt_types.go
@@ -8,9 +8,9 @@ package v1alpha1
// JWT defines the configuration for JSON Web Token (JWT) authentication.
type JWT struct {
- // AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented.
- //
- AllowMissing bool `json:"allowMissing,omitempty"`
+ // AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified.
+ // Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented.
+ AllowMissing *bool `json:"allowMissing,omitempty"`
// Providers defines the JSON Web Token (JWT) authentication provider type.
// When multiple JWT providers are specified, the JWT is considered valid if
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 0055d7669f1..d959961e7bd 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -2202,6 +2202,11 @@ func (in *JSONPatchOperation) DeepCopy() *JSONPatchOperation {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *JWT) DeepCopyInto(out *JWT) {
*out = *in
+ if in.AllowMissing != nil {
+ in, out := &in.AllowMissing, &out.AllowMissing
+ *out = new(bool)
+ **out = **in
+ }
if in.Providers != nil {
in, out := &in.Providers, &out.Providers
*out = make([]JWTProvider, len(*in))
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 63678fa69de..e5720170389 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -423,8 +423,9 @@ spec:
authentication.
properties:
allowMissing:
- description: AllowMissing specifies whether a missing JWT is acceptable,
- but it will fail if an invalid JWT is presented.
+ description: |-
+ AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified.
+ Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented.
type: boolean
providers:
description: |-
diff --git a/internal/gatewayapi/securitypolicy.go b/internal/gatewayapi/securitypolicy.go
index 804c8d42d8a..e3d9dbd8f9c 100644
--- a/internal/gatewayapi/securitypolicy.go
+++ b/internal/gatewayapi/securitypolicy.go
@@ -527,7 +527,7 @@ func wildcard2regex(wildcard string) string {
func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT {
return &ir.JWT{
- AllowMissing: jwt.AllowMissing,
+ AllowMissing: ptr.Deref(jwt.AllowMissing, false),
Providers: jwt.Providers,
}
}
diff --git a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml
index de595317ec3..9b47bb8990d 100644
--- a/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml
+++ b/internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.out.yaml
@@ -307,27 +307,28 @@ xdsIR:
weight: 1
hostname: '*'
isHTTP2: true
- jwt:
- providers:
- - audiences:
- - one.foo.com
- claimToHeaders:
- - claim: claim1
- header: one-route-example-key
- issuer: https://one.example.com
- name: example1
- remoteJWKS:
- uri: https://one.example.com/jwt/public-key/jwks.json
- - audiences:
- - two.foo.com
- claimToHeaders:
- - claim: claim2
- header: two-route-example-key
- issuer: https://two.example.com
- name: example2
- remoteJWKS:
- uri: https://two.example.com/jwt/public-key/jwks.json
name: grpcroute/default/grpcroute-1/rule/0/match/-1/*
+ security:
+ jwt:
+ providers:
+ - audiences:
+ - one.foo.com
+ claimToHeaders:
+ - claim: claim1
+ header: one-route-example-key
+ issuer: https://one.example.com
+ name: example1
+ remoteJWKS:
+ uri: https://one.example.com/jwt/public-key/jwks.json
+ - audiences:
+ - two.foo.com
+ claimToHeaders:
+ - claim: claim2
+ header: two-route-example-key
+ issuer: https://two.example.com
+ name: example2
+ remoteJWKS:
+ uri: https://two.example.com/jwt/public-key/jwks.json
envoy-gateway/gateway-2:
accessLog:
text:
@@ -357,28 +358,29 @@ xdsIR:
weight: 1
hostname: gateway.envoyproxy.io
isHTTP2: false
- jwt:
- allowMissing: true
- providers:
- - audiences:
- - three.foo.com
- claimToHeaders:
- - claim: claim3
- header: three-route-example-key
- extractFrom:
- cookies:
- - session_access_token
- headers:
- - name: Authorization
- valuePrefix: 'Bearer '
- params:
- - token
- issuer: https://three.example.com
- name: example3
- remoteJWKS:
- uri: https://three.example.com/jwt/public-key/jwks.json
name: httproute/default/httproute-1/rule/0/match/0/gateway_envoyproxy_io
pathMatch:
distinct: false
name: ""
prefix: /
+ security:
+ jwt:
+ allowMissing: true
+ providers:
+ - audiences:
+ - three.foo.com
+ claimToHeaders:
+ - claim: claim3
+ header: three-route-example-key
+ extractFrom:
+ cookies:
+ - session_access_token
+ headers:
+ - name: Authorization
+ valuePrefix: 'Bearer '
+ params:
+ - token
+ issuer: https://three.example.com
+ name: example3
+ remoteJWKS:
+ uri: https://three.example.com/jwt/public-key/jwks.json
diff --git a/internal/ir/xds.go b/internal/ir/xds.go
index 8bd92214e29..a0522e788a7 100644
--- a/internal/ir/xds.go
+++ b/internal/ir/xds.go
@@ -570,7 +570,7 @@ type CORS struct {
//
// +k8s:deepcopy-gen=true
type JWT struct {
- // AllowMissing specifies whether JWT authentication could be optionally required.
+ // AllowMissing determines whether a missing JWT is acceptable.
//
AllowMissing bool `json:"allowMissing,omitempty" yaml:"allowMissing,omitempty"`
diff --git a/internal/xds/translator/jwt.go b/internal/xds/translator/jwt.go
index de5af852a99..822a5adf159 100644
--- a/internal/xds/translator/jwt.go
+++ b/internal/xds/translator/jwt.go
@@ -165,7 +165,7 @@ func buildJWTAuthn(irListener *ir.HTTPListener) (*jwtauthnv3.JwtAuthentication,
})
}
- if route.JWT.AllowMissing {
+ if route.Security.JWT.AllowMissing {
reqs = append(reqs, &jwtauthnv3.JwtRequirement{
RequiresType: &jwtauthnv3.JwtRequirement_AllowMissing{
AllowMissing: &emptypb.Empty{},
diff --git a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml
index 4104cdefe5f..b43dd005257 100644
--- a/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml
+++ b/internal/xds/translator/testdata/in/xds-ir/jwt-optional.yaml
@@ -12,23 +12,24 @@ http:
hostname: "*"
pathMatch:
exact: "foo/bar"
- jwt:
- providers:
- - name: example
- issuer: https://www.example.com
- audiences:
- - foo.com
- remoteJWKS:
- uri: https://localhost/jwt/public-key/jwks.json
- extractFrom:
- cookies:
- - session_access_token
- headers:
- - name: Authorization
- valuePrefix: 'Bearer '
- params:
- - token
- allowMissing: true
+ security:
+ jwt:
+ providers:
+ - name: example
+ issuer: https://www.example.com
+ audiences:
+ - foo.com
+ remoteJWKS:
+ uri: https://localhost/jwt/public-key/jwks.json
+ extractFrom:
+ cookies:
+ - session_access_token
+ headers:
+ - name: Authorization
+ valuePrefix: 'Bearer '
+ params:
+ - token
+ allowMissing: true
destination:
name: "first-route-dest"
settings:
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 1167b8a9a39..4068596f6a4 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -1626,9 +1626,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `allowMissing` | _boolean_ | true | AllowMissing specifies whether a missing JWT is acceptable, but it will fail if an invalid JWT is presented. |
-| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |
+| `allowMissing` | _boolean_ | true | AllowMissing determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if allowMissing is set to true, JWT authentication will still fail if an invalid JWT is presented. |
| `providers` | _[JWTProvider](#jwtprovider) array_ | true | Providers defines the JSON Web Token (JWT) authentication provider type.
When multiple JWT providers are specified, the JWT is considered valid if
any of the providers successfully validate the JWT. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/jwt_authn_filter.html. |