Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add support for optional JWT authentication #3157

Merged
merged 5 commits into from
Apr 19, 2024
Merged

feat: add support for optional JWT authentication #3157

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1af6608
feat: add support for optional JWT authentication
ardikabs Apr 2, 2024
566aa30
test: add e2e test for allow missing JWT
ardikabs Apr 9, 2024
33b3bc0
chore: adjust comment and use pointer for non-manandatory field
ardikabs Apr 12, 2024
f744ddd
chore: rename allowMissing to optional
ardikabs Apr 17, 2024
68db674
Merge branch 'main' into feat/optional-jwt-auth
zirain Apr 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions api/v1alpha1/jwt_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ package v1alpha1
// JWT defines the configuration for JSON Web Token (JWT) authentication.
type JWT struct {

// Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
// Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
Optional *bool `json:"optional,omitempty"`

// Providers defines the JSON Web Token (JWT) authentication provider type.
// When multiple JWT providers are specified, the JWT is considered valid if
// any of the providers successfully validate the JWT. For additional details,
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,6 +422,11 @@ spec:
description: JWT defines the configuration for JSON Web Token (JWT)
authentication.
properties:
optional:
description: |-
Optional determines whether a missing JWT is acceptable, defaulting to false if not specified.
Note: Even if optional is set to true, JWT authentication will still fail if an invalid JWT is presented.
type: boolean
providers:
description: |-
Providers defines the JSON Web Token (JWT) authentication provider type.
Expand Down
3 changes: 2 additions & 1 deletion internal/gatewayapi/securitypolicy.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -527,7 +527,8 @@ func wildcard2regex(wildcard string) string {

func (t *Translator) buildJWT(jwt *egv1a1.JWT) *ir.JWT {
return &ir.JWT{
Providers: jwt.Providers,
AllowMissing: ptr.Deref(jwt.Optional, false),
Providers: jwt.Providers,
}
}

Expand Down
127 changes: 127 additions & 0 deletions internal/gatewayapi/testdata/securitypolicy-with-jwt-optional.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
gateways:
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-1
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
- apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
namespace: envoy-gateway
name: gateway-2
spec:
gatewayClassName: envoy-gateway-class
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes:
namespaces:
from: All
grpcRoutes:
- apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GRPCRoute
metadata:
namespace: default
name: grpcroute-1
spec:
parentRefs:
- namespace: envoy-gateway
name: gateway-1
sectionName: http
rules:
- backendRefs:
- name: service-1
port: 8080
httpRoutes:
- apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
namespace: default
name: httproute-1
spec:
hostnames:
- gateway.envoyproxy.io
parentRefs:
- namespace: envoy-gateway
name: gateway-2
sectionName: http
rules:
- matches:
- path:
value: "/"
backendRefs:
- name: service-1
port: 8080
securityPolicies:
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: envoy-gateway
name: policy-for-gateway
spec:
targetRef:
group: gateway.networking.k8s.io
kind: Gateway
name: gateway-1
namespace: envoy-gateway
jwt:
providers:
- name: example1
issuer: https://one.example.com
audiences:
- one.foo.com
remoteJWKS:
uri: https://one.example.com/jwt/public-key/jwks.json
claimToHeaders:
- header: one-route-example-key
claim: claim1
- name: example2
issuer: https://two.example.com
audiences:
- two.foo.com
remoteJWKS:
uri: https://two.example.com/jwt/public-key/jwks.json
claimToHeaders:
- header: two-route-example-key
claim: claim2
- apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
namespace: default
name: policy-for-route
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: httproute-1
namespace: default
jwt:
providers:
- name: example3
issuer: https://three.example.com
audiences:
- three.foo.com
remoteJWKS:
uri: https://three.example.com/jwt/public-key/jwks.json
claimToHeaders:
- header: three-route-example-key
claim: claim3
extractFrom:
headers:
- name: Authorization
valuePrefix: 'Bearer '
cookies:
- session_access_token
params:
- token
optional: true
Loading