From 7a3129fda1ba72f7a3417ac06760eb296aaed7b4 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 8 Mar 2018 00:43:08 +0000 Subject: [PATCH 01/28] Add jwt auth filter config proto Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_auth/v2/BUILD | 8 + .../filter/http/jwt_auth/v2/config.proto | 188 ++++++++++++++++++ 2 files changed, 196 insertions(+) create mode 100644 envoy/config/filter/http/jwt_auth/v2/BUILD create mode 100644 envoy/config/filter/http/jwt_auth/v2/config.proto diff --git a/envoy/config/filter/http/jwt_auth/v2/BUILD b/envoy/config/filter/http/jwt_auth/v2/BUILD new file mode 100644 index 000000000..4c31b0b0d --- /dev/null +++ b/envoy/config/filter/http/jwt_auth/v2/BUILD @@ -0,0 +1,8 @@ +load("//bazel:api_build_system.bzl", "api_proto_library") + +licenses(["notice"]) # Apache 2 + +api_proto_library( + name = "jwt_auth", + srcs = ["config.proto"], +) \ No newline at end of file diff --git a/envoy/config/filter/http/jwt_auth/v2/config.proto b/envoy/config/filter/http/jwt_auth/v2/config.proto new file mode 100644 index 000000000..bdabc36f6 --- /dev/null +++ b/envoy/config/filter/http/jwt_auth/v2/config.proto @@ -0,0 +1,188 @@ +// Copyright 2017 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +package Envoy.Http.JwtAuth.Config; + +import "google/protobuf/duration.proto"; +import "validate/validate.proto"; + +// JSON Web Token (JWT) token format for authentication as defined by +// https://tools.ietf.org/html/rfc7519. See [OAuth +// 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC +// 1.0](http://openid.net/connect) for how this is used in the whole +// authentication flow. +// +// Example, +// +// issuer: https://example.com +// audiences: +// - bookstore_android.apps.googleusercontent.com +// bookstore_web.apps.googleusercontent.com +// jwks_uri: https://example.com/.well-known/jwks.json +// +message JWT { + // Identifies the principal that issued the JWT. See + // https://tools.ietf.org/html/rfc7519#section-4.1.1 + // Usually a URL or an email address. + // + // Example: https://securetoken.google.com + // Example: 1234567-compute@developer.gserviceaccount.com + // + string issuer = 1; + + // The list of JWT + // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). + // that are allowed to access. A JWT containing any of these + // audiences will be accepted. + // + // The service name will be accepted if audiences is empty. + // + // Example: + // + // audiences: + // - bookstore_android.apps.googleusercontent.com + // bookstore_web.apps.googleusercontent.com + // + repeated string audiences = 2; + + // URL of the provider's public key set to validate signature of the + // JWT. See [OpenID + // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). + // + // Optional if the key set document can either (a) be retrieved from + // [OpenID + // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html + // of the issuer or (b) inferred from the email domain of the issuer + // (e.g. a Google service account). + // + // Example: https://www.googleapis.com/oauth2/v1/certs + string jwks_uri = 3; + + // If false, remove the JWT from the HTTP request and do not forward to the + // application. + bool forward_jwt = 4; + + // Duration after which the cached public key should be expired. The + // system wide default is applied if no duration is explicitly + // specified. + google.protobuf.Duration public_key_cache_duration = 5; + + // Two fields below define where to extract the JWT from an HTTP request. + // + // If no explicit location is specified the following default + // locations are tried in order: + // + // 1) The Authorization header using the Bearer schema, + // e.g. Authorization: Bearer . (see + // https://tools.ietf.org/html/rfc6750#section-2.1) + // + // 2) `access_token` query parameter (see + // https://tools.ietf.org/html/rfc6750#section-2.3) + // + + // Only one JWT token is verified per request. + // If multiple header or parameter names specified, the first one with the + // token will be used. + // If both jwt_headers and jwt_params are specified, jwt_headers will be + // checked first. + + // JWT is sent in a request header. `jwt_headers` represents the + // header names. Their format is: + // header_name: + // + // For example, if config is + // jwt_headers: + // x-goog-iap-jwt-assertion + // The header format will be: + // x-goog-iap-jwt-assertion: . + // + repeated string jwt_headers = 6; + + // JWT is sent in a query parameter. `jwt_params` represents the + // query parameter names. + // + // For example, if config is: + // jwt_params: + // jwt_token + // The query parameter is: ?jwt_token= + // + repeated string jwt_params = 8; + + // This field is specific for Envoy proxy implementation. + // It is the cluster name in the Envoy config for the jwks_uri. + string jwks_uri_cluster = 7; +} + +// Determines how to apply auth policies for individual requests. +message Config { + // List of JWT rules to valide. + // + // If the request includes a JWT it must match one of the JWT listed + // here matched by the issuer. If validation is successfull the + // follow attributes are included in requests to the mixer: + // + // request.auth.principal - The string of the issuer (`iss`) and + // subject (`sub`) claims within a JWT concatenated with “/” + // with a percent-encoded subject value + // + // request.auth.audiences - This should reflect the audience + // (`aud`) claim within matched JWT. + // + // request.auth.presenter - The authorized presenter of the + // credential. This value should reflect the optional Authorized + // Presenter (`azp`) claim within a JWT + // + // If no match is found the request is rejected with HTTP status + // code 401. + // + // JWT validation is skipped if the user's traffic request does not + // include a JWT. + repeated JWT jwts = 2; + + // This message defines a pattern to match a HTTP request. + // A pattern is matched only if both http_method and path_match are matched. + message HttpPattern { + // Define a HTTP method. + string http_method = 1; + + // Defines a path match + oneof path_match { + // Defines an exact path match + string path_exact = 2; + + // Defines an path prefix match + string path_prefix = 3; + } + } + + // If a request doesn't have JWT, it will be rejected. + // But some requests can be forwarded without JWT, such as OPTIONS for CORS + // and some health checking paths. + // + // Examples: bypass all CORS options requests. + // + // bypass_jwt: + // http_method: OPTIONS + // path_prefix: / + // + // Examples: bypass /healthz check + // + // bypass_jwt: + // http_method: GET + // path_exact: /healthz + // + repeated HttpPattern bypass_jwt = 3; +} From 30ee783ed27ca0e92f77d31eae54d35003615726 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 8 Mar 2018 01:09:31 +0000 Subject: [PATCH 02/28] fix format Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_auth/v2/BUILD | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/envoy/config/filter/http/jwt_auth/v2/BUILD b/envoy/config/filter/http/jwt_auth/v2/BUILD index 4c31b0b0d..e5c45140c 100644 --- a/envoy/config/filter/http/jwt_auth/v2/BUILD +++ b/envoy/config/filter/http/jwt_auth/v2/BUILD @@ -1,8 +1,11 @@ +licenses(["notice"]) # Apache 2 + load("//bazel:api_build_system.bzl", "api_proto_library") +load("//bazel:envoy_build_system.bzl", "envoy_package") -licenses(["notice"]) # Apache 2 +envoy_package() api_proto_library( name = "jwt_auth", srcs = ["config.proto"], -) \ No newline at end of file +) From cfefc2872a601078e92889f1cba35f75277ce3c7 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 8 Mar 2018 20:19:55 +0000 Subject: [PATCH 03/28] Update per comment Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_auth/v2/BUILD | 3 - .../filter/http/jwt_auth/v2/config.proto | 132 +++++++----------- 2 files changed, 52 insertions(+), 83 deletions(-) diff --git a/envoy/config/filter/http/jwt_auth/v2/BUILD b/envoy/config/filter/http/jwt_auth/v2/BUILD index e5c45140c..6e325a2f8 100644 --- a/envoy/config/filter/http/jwt_auth/v2/BUILD +++ b/envoy/config/filter/http/jwt_auth/v2/BUILD @@ -1,9 +1,6 @@ licenses(["notice"]) # Apache 2 load("//bazel:api_build_system.bzl", "api_proto_library") -load("//bazel:envoy_build_system.bzl", "envoy_package") - -envoy_package() api_proto_library( name = "jwt_auth", diff --git a/envoy/config/filter/http/jwt_auth/v2/config.proto b/envoy/config/filter/http/jwt_auth/v2/config.proto index bdabc36f6..f79ff50a6 100644 --- a/envoy/config/filter/http/jwt_auth/v2/config.proto +++ b/envoy/config/filter/http/jwt_auth/v2/config.proto @@ -1,31 +1,17 @@ -// Copyright 2017 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. syntax = "proto3"; -package Envoy.Http.JwtAuth.Config; +package envoy.config.filter.http.jwt_auth.v2; import "google/protobuf/duration.proto"; import "validate/validate.proto"; -// JSON Web Token (JWT) token format for authentication as defined by -// https://tools.ietf.org/html/rfc7519. See [OAuth -// 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC -// 1.0](http://openid.net/connect) for how this is used in the whole -// authentication flow. +// JSON Web Token (JWT) token format for authentication is defined +// `here `_. +// See `OAuth2.0 `_ and +// `OIDC1.0 `_ for the authentication flow. // -// Example, +// Example,:: // // issuer: https://example.com // audiences: @@ -33,9 +19,9 @@ import "validate/validate.proto"; // bookstore_web.apps.googleusercontent.com // jwks_uri: https://example.com/.well-known/jwks.json // -message JWT { +message JSONWebToken { // Identifies the principal that issued the JWT. See - // https://tools.ietf.org/html/rfc7519#section-4.1.1 + // `here `_. // Usually a URL or an email address. // // Example: https://securetoken.google.com @@ -43,14 +29,11 @@ message JWT { // string issuer = 1; - // The list of JWT - // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). - // that are allowed to access. A JWT containing any of these - // audiences will be accepted. + // The list of JWT `audiences + // `_. that are allowed to + // access. A JWT containing any of these audiences will be accepted. // - // The service name will be accepted if audiences is empty. - // - // Example: + // Example:: // // audiences: // - bookstore_android.apps.googleusercontent.com @@ -59,20 +42,14 @@ message JWT { repeated string audiences = 2; // URL of the provider's public key set to validate signature of the - // JWT. See [OpenID - // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata). - // - // Optional if the key set document can either (a) be retrieved from - // [OpenID - // Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html - // of the issuer or (b) inferred from the email domain of the issuer - // (e.g. a Google service account). + // JWT. See `OpenID + // Discovery + // `_ // // Example: https://www.googleapis.com/oauth2/v1/certs string jwks_uri = 3; - // If false, remove the JWT from the HTTP request and do not forward to the - // application. + // If false, remove the JWT and do not forward to the backend. bool forward_jwt = 4; // Duration after which the cached public key should be expired. The @@ -85,28 +62,33 @@ message JWT { // If no explicit location is specified the following default // locations are tried in order: // - // 1) The Authorization header using the Bearer schema, - // e.g. Authorization: Bearer . (see - // https://tools.ietf.org/html/rfc6750#section-2.1) + // 1. The Authorization header using the Bearer schema. + // See `here `_ + // Example:: // - // 2) `access_token` query parameter (see - // https://tools.ietf.org/html/rfc6750#section-2.3) + // Authorization: Bearer . // - - // Only one JWT token is verified per request. - // If multiple header or parameter names specified, the first one with the - // token will be used. + // 2. `access_token` query parameter. + // See `here `_ + // + // + // Only the first JWT token is verified per request if multiple tokens are + // specified. // If both jwt_headers and jwt_params are specified, jwt_headers will be // checked first. - + // // JWT is sent in a request header. `jwt_headers` represents the - // header names. Their format is: + // header names. Their format is:: + // // header_name: // - // For example, if config is + // For example, if config is:: + // // jwt_headers: // x-goog-iap-jwt-assertion - // The header format will be: + // + // The header format will be:: + // // x-goog-iap-jwt-assertion: . // repeated string jwt_headers = 6; @@ -114,48 +96,38 @@ message JWT { // JWT is sent in a query parameter. `jwt_params` represents the // query parameter names. // - // For example, if config is: + // For example, if config is:: + // // jwt_params: // jwt_token - // The query parameter is: ?jwt_token= + // + // The query parameter is:: + // + // /path?jwt_token= // repeated string jwt_params = 8; // This field is specific for Envoy proxy implementation. - // It is the cluster name in the Envoy config for the jwks_uri. + // It is the cluster name in the Envoy "cluster_manager" config section. + // In order for Envoy to call "jwks_uri", its host has to be specified + // as a "cluster" in the config for each jwks_uri. string jwks_uri_cluster = 7; } -// Determines how to apply auth policies for individual requests. -message Config { +// This is the Envoy filter config for JSON Web Token authentication. +message JSONWebTokenAuthenticationFilterConfig { // List of JWT rules to valide. // - // If the request includes a JWT it must match one of the JWT listed - // here matched by the issuer. If validation is successfull the - // follow attributes are included in requests to the mixer: - // - // request.auth.principal - The string of the issuer (`iss`) and - // subject (`sub`) claims within a JWT concatenated with “/” - // with a percent-encoded subject value - // - // request.auth.audiences - This should reflect the audience - // (`aud`) claim within matched JWT. - // - // request.auth.presenter - The authorized presenter of the - // credential. This value should reflect the optional Authorized - // Presenter (`azp`) claim within a JWT - // - // If no match is found the request is rejected with HTTP status - // code 401. + // If the request includes a JWT, it must match one of the JWT listed + // here with the same issuer. // - // JWT validation is skipped if the user's traffic request does not - // include a JWT. - repeated JWT jwts = 2; + repeated JSONWebToken jwts = 2; // This message defines a pattern to match a HTTP request. // A pattern is matched only if both http_method and path_match are matched. message HttpPattern { - // Define a HTTP method. + // Define a HTTP method. It should be one of valid HTTP methods. + // It should not be empty. string http_method = 1; // Defines a path match @@ -172,13 +144,13 @@ message Config { // But some requests can be forwarded without JWT, such as OPTIONS for CORS // and some health checking paths. // - // Examples: bypass all CORS options requests. + // Examples: bypass all CORS options requests:: // // bypass_jwt: // http_method: OPTIONS // path_prefix: / // - // Examples: bypass /healthz check + // Examples: bypass /healthz check:: // // bypass_jwt: // http_method: GET From 529471dd411afdf9638394d179810b748d712917 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 8 Mar 2018 21:22:46 +0000 Subject: [PATCH 04/28] use HeaderMatcher Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_auth/v2/BUILD | 1 + .../filter/http/jwt_auth/v2/config.proto | 48 +++++++++++-------- 2 files changed, 29 insertions(+), 20 deletions(-) diff --git a/envoy/config/filter/http/jwt_auth/v2/BUILD b/envoy/config/filter/http/jwt_auth/v2/BUILD index 6e325a2f8..0af72f517 100644 --- a/envoy/config/filter/http/jwt_auth/v2/BUILD +++ b/envoy/config/filter/http/jwt_auth/v2/BUILD @@ -5,4 +5,5 @@ load("//bazel:api_build_system.bzl", "api_proto_library") api_proto_library( name = "jwt_auth", srcs = ["config.proto"], + deps = ["//envoy/api/v2/route:route"], ) diff --git a/envoy/config/filter/http/jwt_auth/v2/config.proto b/envoy/config/filter/http/jwt_auth/v2/config.proto index f79ff50a6..c57458c10 100644 --- a/envoy/config/filter/http/jwt_auth/v2/config.proto +++ b/envoy/config/filter/http/jwt_auth/v2/config.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.config.filter.http.jwt_auth.v2; +import "envoy/api/v2/route/route.proto"; import "google/protobuf/duration.proto"; import "validate/validate.proto"; @@ -124,20 +125,19 @@ message JSONWebTokenAuthenticationFilterConfig { repeated JSONWebToken jwts = 2; // This message defines a pattern to match a HTTP request. - // A pattern is matched only if both http_method and path_match are matched. - message HttpPattern { - // Define a HTTP method. It should be one of valid HTTP methods. - // It should not be empty. - string http_method = 1; - - // Defines a path match - oneof path_match { - // Defines an exact path match - string path_exact = 2; - - // Defines an path prefix match - string path_prefix = 3; - } + // A pattern is matched only if all "headers" are matched. + message HttpMatcher { + // Specifies a set of headers should match on. + // For example:: + // + // headers: + // name: :method + // value: OPTIONS + // headers: + // name: :path + // regex_match: /.* + // + repeated envoy.api.v2.route.HeaderMatcher headers = 6; } // If a request doesn't have JWT, it will be rejected. @@ -147,14 +147,22 @@ message JSONWebTokenAuthenticationFilterConfig { // Examples: bypass all CORS options requests:: // // bypass_jwt: - // http_method: OPTIONS - // path_prefix: / + // headers: + // name: :method + // value: OPTIONS + // headers: + // name: :path + // regex_match: /.* // // Examples: bypass /healthz check:: // // bypass_jwt: - // http_method: GET - // path_exact: /healthz - // - repeated HttpPattern bypass_jwt = 3; + // headers: + // name: :method + // value: GET + // headers: + // name: :path + // exact_match: /healthz + // + repeated HttpMatcher bypass_jwt = 3; } From 71a5490def0d7fd118024af86216260975756bac Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 8 Mar 2018 22:33:37 +0000 Subject: [PATCH 05/28] Fix BUILD format Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_auth/v2/BUILD | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/envoy/config/filter/http/jwt_auth/v2/BUILD b/envoy/config/filter/http/jwt_auth/v2/BUILD index 0af72f517..b85af5d68 100644 --- a/envoy/config/filter/http/jwt_auth/v2/BUILD +++ b/envoy/config/filter/http/jwt_auth/v2/BUILD @@ -5,5 +5,5 @@ load("//bazel:api_build_system.bzl", "api_proto_library") api_proto_library( name = "jwt_auth", srcs = ["config.proto"], - deps = ["//envoy/api/v2/route:route"], + deps = ["//envoy/api/v2/route"], ) From 89720dd0019d94dd7ab59978e369299543b4ffb8 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 9 Mar 2018 00:48:44 +0000 Subject: [PATCH 06/28] Rename jwt_auth to jwt_authn Signed-off-by: Wayne Zhang --- envoy/config/filter/http/{jwt_auth => jwt_authn}/v2/BUILD | 2 +- .../filter/http/{jwt_auth => jwt_authn}/v2/config.proto | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) rename envoy/config/filter/http/{jwt_auth => jwt_authn}/v2/BUILD (88%) rename envoy/config/filter/http/{jwt_auth => jwt_authn}/v2/config.proto (98%) diff --git a/envoy/config/filter/http/jwt_auth/v2/BUILD b/envoy/config/filter/http/jwt_authn/v2/BUILD similarity index 88% rename from envoy/config/filter/http/jwt_auth/v2/BUILD rename to envoy/config/filter/http/jwt_authn/v2/BUILD index b85af5d68..5b21d9584 100644 --- a/envoy/config/filter/http/jwt_auth/v2/BUILD +++ b/envoy/config/filter/http/jwt_authn/v2/BUILD @@ -3,7 +3,7 @@ licenses(["notice"]) # Apache 2 load("//bazel:api_build_system.bzl", "api_proto_library") api_proto_library( - name = "jwt_auth", + name = "jwt_authn", srcs = ["config.proto"], deps = ["//envoy/api/v2/route"], ) diff --git a/envoy/config/filter/http/jwt_auth/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto similarity index 98% rename from envoy/config/filter/http/jwt_auth/v2/config.proto rename to envoy/config/filter/http/jwt_authn/v2/config.proto index c57458c10..35b41df99 100644 --- a/envoy/config/filter/http/jwt_auth/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -1,7 +1,7 @@ syntax = "proto3"; -package envoy.config.filter.http.jwt_auth.v2; +package envoy.config.filter.http.jwt_authn.v2; import "envoy/api/v2/route/route.proto"; import "google/protobuf/duration.proto"; @@ -116,7 +116,7 @@ message JSONWebToken { } // This is the Envoy filter config for JSON Web Token authentication. -message JSONWebTokenAuthenticationFilterConfig { +message JSONWebTokenAuthentication { // List of JWT rules to valide. // // If the request includes a JWT, it must match one of the JWT listed From 062cdf855c73a389094aa7315eca227334eade02 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 9 Mar 2018 18:42:10 +0000 Subject: [PATCH 07/28] add not-implemented-hide Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 26 ++++++++++--------- 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 35b41df99..15f6edf5c 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -20,6 +20,7 @@ import "validate/validate.proto"; // bookstore_web.apps.googleusercontent.com // jwks_uri: https://example.com/.well-known/jwks.json // +// [#not-implemented-hide:] message JSONWebToken { // Identifies the principal that issued the JWT. See // `here `_. @@ -116,6 +117,7 @@ message JSONWebToken { } // This is the Envoy filter config for JSON Web Token authentication. +// [#not-implemented-hide:] message JSONWebTokenAuthentication { // List of JWT rules to valide. // @@ -131,11 +133,11 @@ message JSONWebTokenAuthentication { // For example:: // // headers: - // name: :method - // value: OPTIONS + // - name: :method + // value: OPTIONS // headers: - // name: :path - // regex_match: /.* + // - name: :path + // regex_match: /.* // repeated envoy.api.v2.route.HeaderMatcher headers = 6; } @@ -148,21 +150,21 @@ message JSONWebTokenAuthentication { // // bypass_jwt: // headers: - // name: :method - // value: OPTIONS + // - name: :method + // value: OPTIONS // headers: - // name: :path - // regex_match: /.* + // - name: :path + // regex_match: /.* // // Examples: bypass /healthz check:: // // bypass_jwt: // headers: - // name: :method - // value: GET + // - name: :method + // value: GET // headers: - // name: :path - // exact_match: /healthz + // - name: :path + // exact_match: /healthz // repeated HttpMatcher bypass_jwt = 3; } From f20a77d0a25deb99d1385bee8984b9adaf3ee280 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 9 Mar 2018 19:54:28 +0000 Subject: [PATCH 08/28] Added JwtHeader Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 34 +++++++++++++------ 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 15f6edf5c..07ebd17a9 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -61,8 +61,8 @@ message JSONWebToken { // Two fields below define where to extract the JWT from an HTTP request. // - // If no explicit location is specified the following default - // locations are tried in order: + // If no explicit location is specified, the following default locations are + // tried in order: // // 1. The Authorization header using the Bearer schema. // See `here `_ @@ -76,24 +76,38 @@ message JSONWebToken { // // Only the first JWT token is verified per request if multiple tokens are // specified. + // // If both jwt_headers and jwt_params are specified, jwt_headers will be // checked first. // - // JWT is sent in a request header. `jwt_headers` represents the - // header names. Their format is:: + + // This message specifies a header location to extract JWT token. + // A HTTP header format is:: // - // header_name: + // name: value_prefix // - // For example, if config is:: + message JwtHeader { + // The HTTP header name. + string name = 1; + + // The value prefix. The value format is "prefix" + // For example, for "Authorization: Bearer ", + // value_prefix="Bearer " with a space at the end. + string value_prefix = 2; + } + + // Specify the HTTP headers to extract JWT token. + // + // For examples, following config:: // // jwt_headers: - // x-goog-iap-jwt-assertion + // -name: x-goog-iap-jwt-assertion // - // The header format will be:: + // can be used to extract token from header:: // // x-goog-iap-jwt-assertion: . // - repeated string jwt_headers = 6; + repeated JwtHeader jwt_headers = 6; // JWT is sent in a query parameter. `jwt_params` represents the // query parameter names. @@ -101,7 +115,7 @@ message JSONWebToken { // For example, if config is:: // // jwt_params: - // jwt_token + // jwt_token // // The query parameter is:: // From 95cfa93f31a328379f3a40c0089706642cbb15dc Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 9 Mar 2018 20:37:33 +0000 Subject: [PATCH 09/28] Add allow_missing_jwt Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 84 +++++++++++-------- 1 file changed, 48 insertions(+), 36 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 07ebd17a9..06359c286 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -5,6 +5,7 @@ package envoy.config.filter.http.jwt_authn.v2; import "envoy/api/v2/route/route.proto"; import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; import "validate/validate.proto"; // JSON Web Token (JWT) token format for authentication is defined @@ -52,7 +53,7 @@ message JSONWebToken { string jwks_uri = 3; // If false, remove the JWT and do not forward to the backend. - bool forward_jwt = 4; + google.protobuf.BoolValue forward_jwt = 4; // Duration after which the cached public key should be expired. The // system wide default is applied if no duration is explicitly @@ -81,21 +82,6 @@ message JSONWebToken { // checked first. // - // This message specifies a header location to extract JWT token. - // A HTTP header format is:: - // - // name: value_prefix - // - message JwtHeader { - // The HTTP header name. - string name = 1; - - // The value prefix. The value format is "prefix" - // For example, for "Authorization: Bearer ", - // value_prefix="Bearer " with a space at the end. - string value_prefix = 2; - } - // Specify the HTTP headers to extract JWT token. // // For examples, following config:: @@ -121,16 +107,49 @@ message JSONWebToken { // // /path?jwt_token= // - repeated string jwt_params = 8; + repeated string jwt_params = 7; // This field is specific for Envoy proxy implementation. // It is the cluster name in the Envoy "cluster_manager" config section. // In order for Envoy to call "jwks_uri", its host has to be specified // as a "cluster" in the config for each jwks_uri. - string jwks_uri_cluster = 7; + string jwks_uri_cluster = 8; +} + +// This message specifies a header location to extract JWT token. +// A HTTP header format is:: +// +// name: value_prefix +// +message JwtHeader { + // The HTTP header name. + string name = 1; + + // The value prefix. The value format is "prefix" + // For example, for "Authorization: Bearer ", + // value_prefix="Bearer " with a space at the end. + string value_prefix = 2; +} + +// This message defines a pattern to match a HTTP request. +// A pattern is matched only if all "headers" are matched. +message HttpMatcher { + // Specifies a set of headers should match on. + // For example:: + // + // headers: + // - name: :method + // value: OPTIONS + // headers: + // - name: :path + // regex_match: /.* + // + repeated envoy.api.v2.route.HeaderMatcher headers = 1; } // This is the Envoy filter config for JSON Web Token authentication. +// If a JWT is sucessfully verified, header "sec-istio-auth-userinfo" will +// be added with base64 encoded JSON payload to be send to the backend. // [#not-implemented-hide:] message JSONWebTokenAuthentication { // List of JWT rules to valide. @@ -138,24 +157,17 @@ message JSONWebTokenAuthentication { // If the request includes a JWT, it must match one of the JWT listed // here with the same issuer. // - repeated JSONWebToken jwts = 2; - - // This message defines a pattern to match a HTTP request. - // A pattern is matched only if all "headers" are matched. - message HttpMatcher { - // Specifies a set of headers should match on. - // For example:: - // - // headers: - // - name: :method - // value: OPTIONS - // headers: - // - name: :path - // regex_match: /.* - // - repeated envoy.api.v2.route.HeaderMatcher headers = 6; - } + repeated JSONWebToken jwts = 1; + + // If true, the request is allowed if JWT is missing. + // Default is not allowed. + google.protobuf.BoolValue allow_missing_jwt = 2; + + // If true, the request is allowed if JWT verification fails + // Default is not allowed. + google.protobuf.BoolValue allow_failed_jwt_verification = 3; + // This applies when JWT is missing and allow_missing_jwt is false. // If a request doesn't have JWT, it will be rejected. // But some requests can be forwarded without JWT, such as OPTIONS for CORS // and some health checking paths. @@ -180,5 +192,5 @@ message JSONWebTokenAuthentication { // - name: :path // exact_match: /healthz // - repeated HttpMatcher bypass_jwt = 3; + repeated HttpMatcher bypass_jwt = 4; } From 4bbf2045b52d8e941041de204aeaaad28bd3bd72 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 9 Mar 2018 20:48:45 +0000 Subject: [PATCH 10/28] move allow_failed_jwt to JWT message Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 06359c286..293b86770 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -52,14 +52,25 @@ message JSONWebToken { // Example: https://www.googleapis.com/oauth2/v1/certs string jwks_uri = 3; - // If false, remove the JWT and do not forward to the backend. - google.protobuf.BoolValue forward_jwt = 4; + // This field is specific for Envoy proxy implementation. + // It is the cluster name in the Envoy "cluster_manager" config section. + // In order for Envoy to call "jwks_uri", its host has to be specified + // as a "cluster" in the config for each jwks_uri. + string jwks_uri_cluster = 4; // Duration after which the cached public key should be expired. The // system wide default is applied if no duration is explicitly // specified. google.protobuf.Duration public_key_cache_duration = 5; + // If false, the JWT is removed in the request after a success verification. + // Set it true, if don't want it to be removed. + google.protobuf.BoolValue forward_jwt = 6; + + // If true, the request is allowed if the JWT verification fails + // Default is not allowed. + google.protobuf.BoolValue allow_failed_jwt = 7; + // Two fields below define where to extract the JWT from an HTTP request. // // If no explicit location is specified, the following default locations are @@ -93,7 +104,7 @@ message JSONWebToken { // // x-goog-iap-jwt-assertion: . // - repeated JwtHeader jwt_headers = 6; + repeated JwtHeader jwt_headers = 8; // JWT is sent in a query parameter. `jwt_params` represents the // query parameter names. @@ -107,13 +118,7 @@ message JSONWebToken { // // /path?jwt_token= // - repeated string jwt_params = 7; - - // This field is specific for Envoy proxy implementation. - // It is the cluster name in the Envoy "cluster_manager" config section. - // In order for Envoy to call "jwks_uri", its host has to be specified - // as a "cluster" in the config for each jwks_uri. - string jwks_uri_cluster = 8; + repeated string jwt_params = 9; } // This message specifies a header location to extract JWT token. @@ -163,10 +168,6 @@ message JSONWebTokenAuthentication { // Default is not allowed. google.protobuf.BoolValue allow_missing_jwt = 2; - // If true, the request is allowed if JWT verification fails - // Default is not allowed. - google.protobuf.BoolValue allow_failed_jwt_verification = 3; - // This applies when JWT is missing and allow_missing_jwt is false. // If a request doesn't have JWT, it will be rejected. // But some requests can be forwarded without JWT, such as OPTIONS for CORS @@ -192,5 +193,5 @@ message JSONWebTokenAuthentication { // - name: :path // exact_match: /healthz // - repeated HttpMatcher bypass_jwt = 4; + repeated HttpMatcher bypass_jwt = 3; } From 335ec9134c292a1c20fc2d0a9d35d59002eac8bc Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Sat, 10 Mar 2018 00:25:18 +0000 Subject: [PATCH 11/28] Add some default behavious Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 75 ++++++++++++------- 1 file changed, 47 insertions(+), 28 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 293b86770..607743ee9 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -13,7 +13,9 @@ import "validate/validate.proto"; // See `OAuth2.0 `_ and // `OIDC1.0 `_ for the authentication flow. // -// Example,:: +// Example: +// +// .. code-block:: yaml // // issuer: https://example.com // audiences: @@ -22,7 +24,7 @@ import "validate/validate.proto"; // jwks_uri: https://example.com/.well-known/jwks.json // // [#not-implemented-hide:] -message JSONWebToken { +message JsonWebToken { // Identifies the principal that issued the JWT. See // `here `_. // Usually a URL or an email address. @@ -36,7 +38,9 @@ message JSONWebToken { // `_. that are allowed to // access. A JWT containing any of these audiences will be accepted. // - // Example:: + // Example: + // + // .. code-block:: yaml // // audiences: // - bookstore_android.apps.googleusercontent.com @@ -44,12 +48,17 @@ message JSONWebToken { // repeated string audiences = 2; - // URL of the provider's public key set to validate signature of the - // JWT. See `OpenID + // URL of the provider's public key server. The public key is used to validate + // signature of the JWT. See `OpenID // Discovery // `_ // - // Example: https://www.googleapis.com/oauth2/v1/certs + // Example: + // + // .. code-block:: yaml + // + // jwks_uri: https://www.googleapis.com/oauth2/v1/certs + // string jwks_uri = 3; // This field is specific for Envoy proxy implementation. @@ -58,17 +67,17 @@ message JSONWebToken { // as a "cluster" in the config for each jwks_uri. string jwks_uri_cluster = 4; - // Duration after which the cached public key should be expired. The - // system wide default is applied if no duration is explicitly - // specified. + // Duration after which the cached public key should be expired. If not + // specified, default cache duration is 5 minutes. google.protobuf.Duration public_key_cache_duration = 5; // If false, the JWT is removed in the request after a success verification. // Set it true, if don't want it to be removed. + // Default value is false which is to remove JWT. google.protobuf.BoolValue forward_jwt = 6; - // If true, the request is allowed if the JWT verification fails - // Default is not allowed. + // If true, the request is allowed if the JWT verification fails. + // Default value is false; JWT verification failed request will be rejected. google.protobuf.BoolValue allow_failed_jwt = 7; // Two fields below define where to extract the JWT from an HTTP request. @@ -97,8 +106,10 @@ message JSONWebToken { // // For examples, following config:: // + // .. code-block:: yaml + // // jwt_headers: - // -name: x-goog-iap-jwt-assertion + // - name: x-goog-iap-jwt-assertion // // can be used to extract token from header:: // @@ -111,8 +122,10 @@ message JSONWebToken { // // For example, if config is:: // + // .. code-block:: yaml + // // jwt_params: - // jwt_token + // - jwt_token // // The query parameter is:: // @@ -142,6 +155,8 @@ message HttpMatcher { // Specifies a set of headers should match on. // For example:: // + // .. code-block:: yaml + // // headers: // - name: :method // value: OPTIONS @@ -162,7 +177,7 @@ message JSONWebTokenAuthentication { // If the request includes a JWT, it must match one of the JWT listed // here with the same issuer. // - repeated JSONWebToken jwts = 1; + repeated JsonWebToken jwts = 1; // If true, the request is allowed if JWT is missing. // Default is not allowed. @@ -175,23 +190,27 @@ message JSONWebTokenAuthentication { // // Examples: bypass all CORS options requests:: // + // .. code-block:: yaml + // // bypass_jwt: - // headers: - // - name: :method - // value: OPTIONS - // headers: - // - name: :path - // regex_match: /.* + // - headers: + // - name: :method + // value: OPTIONS + // - headers: + // - name: :path + // regex_match: /.* // // Examples: bypass /healthz check:: // + // .. code-block:: yaml + // // bypass_jwt: - // headers: - // - name: :method - // value: GET - // headers: - // - name: :path - // exact_match: /healthz - // - repeated HttpMatcher bypass_jwt = 3; + // - headers: + // - name: :method + // value: GET + // - headers: + // - name: :path + // exact_match: /healthz + // + repeated envoy.api.v2.route.RouteMatch bypass_jwt = 3; } From 2f1aa176b55f3c3fb0e299442d3176986b8647d3 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Sat, 10 Mar 2018 00:59:58 +0000 Subject: [PATCH 12/28] Update comment for jwks Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/config.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 607743ee9..2901c1729 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -48,9 +48,9 @@ message JsonWebToken { // repeated string audiences = 2; - // URL of the provider's public key server. The public key is used to validate - // signature of the JWT. See `OpenID - // Discovery + // `Json web key set `_ URI. + // Json web key set is fetched from the URI to validate signature of the JWT. + // See `OpenID Discovery // `_ // // Example: From 648cd3ec78e252cdea26a66f63cb3d8b1c4d020e Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 13 Mar 2018 00:26:49 +0000 Subject: [PATCH 13/28] Add README.md Signed-off-by: Wayne Zhang --- .../config/filter/http/jwt_authn/v2/README.md | 83 +++++++++++++++++++ .../filter/http/jwt_authn/v2/config.proto | 58 +++++++++---- 2 files changed, 123 insertions(+), 18 deletions(-) create mode 100644 envoy/config/filter/http/jwt_authn/v2/README.md diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md new file mode 100644 index 000000000..b6d1e610e --- /dev/null +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -0,0 +1,83 @@ +# JWT Authentication envoy HTTP filter config + +## Overview + +1. The proto file in this folder defines a HTTP filter config for "jwt_authn" filter. This filter will be implemented in Envoy. + +2. This filter will verify the JWT in the HTTP request as: + - The signature should be valid + - JWT should not be expired + - Issuer (and audience) should be valid and are specified in the config. + +3. In order to verify JWT, [JWKS](https://tools.ietf.org/html/rfc7517#appendix-A) can be fetched from a remote server by the filter. JWKS will be cached by Envoy. + +3. If JWT is valid, the user is authenticated and the request will be passed to the backend server. Verified JWT payload will be added as a new HTTP header to be passed to the backend server, and original JWT will be removed. If JWT is not valid, the request will be rejected with an error message. + +## The locations to extract JWT + +JWT will be extracted from the HTTP headers or query parameters. If not extract location specified, the default location is the HTTP header: +``` +Authorization: Bearer +``` +The next location is in the query parameter as: +``` +?access_token= +``` + +2. The custom location is desired, "jwt_headers" and "jwt_params" can be used to specify custom location to extract JWT. Please see config proto for detail. + +## HTTP header to pass sucessfully verified JWT + +If a JWT has been suceessfully verified, its payload will be passed to the backend in the new HTTP header "sec-istio-auth-userinfo". Its value is base64 encoded JSON. + +## Fetch remote JWKS. + +JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify jwks_uri in the format as: +``` +jwks_uri: JWKS_URI?cluster=cluster_name +``` + +## Example config. + +Here is the cluster config example: +``` +"clusters": [ + { + "name": "jwks_cluster", + "connect_timeout_ms": 5000, + "type": "strict_dns", + "circuit_breakers": { + "default": { + "max_pending_requests": 10000, + "max_requests": 10000 + } + }, + "lb_type": "round_robin", + "hosts": [ + { + "url": "tcp://account.example.com:8080" + } + ] + }, + ... +] +``` + +Here is the Envoy HTTP filter config example: +``` + "filters": [ + { + "type": "decoder", + "name": "jwt_authn", + "config": { + "jwt_rules": [ + { + "issuer": "628645741881-noabiu23f5a8m8ovd8ucv698lj78vv0l@developer.gserviceaccount.com", + "jwks_uri": "http://localhost:8081/?cluster=jwks_cluster", + } + ] + } + }, + ... + ] +``` diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 2901c1729..99521436f 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -1,7 +1,7 @@ syntax = "proto3"; -package envoy.config.filter.http.jwt_authn.v2; +package envoy.config.filter.http.jwtauthn.v2; import "envoy/api/v2/route/route.proto"; import "google/protobuf/duration.proto"; @@ -24,7 +24,7 @@ import "validate/validate.proto"; // jwks_uri: https://example.com/.well-known/jwks.json // // [#not-implemented-hide:] -message JsonWebToken { +message JWT { // Identifies the principal that issued the JWT. See // `here `_. // Usually a URL or an email address. @@ -53,32 +53,54 @@ message JsonWebToken { // See `OpenID Discovery // `_ // - // Example: + // Before Envoy supports dynamic cluster, a dedicated cluster must + // be created in the "cluster_manager" envoy config section for the host part + // of the URI, its name must be appended to jwks_uri as "?cluster=name". + // + // Example: jwks envoy cluster: + // + // .. code-block:: json + // + // { + // "name": "jwt.www.googleapis.com|443", + // "connect_timeout_ms": 1000, + // "type": "strict_dns", + // "lb_type": "round_robin", + // "hosts": [ + // { + // "url": "tcp://www.googleapis.com:443" + // } + // ], + // "ssl_context": {}, + // "circuit_breakers": { + // "default": { + // "max_pending_requests": 10000, + // "max_requests": 10000 + // } + // } + // } + // + // Example: jwks_uri: // // .. code-block:: yaml // - // jwks_uri: https://www.googleapis.com/oauth2/v1/certs + // jwks_uri: + // https://www.googleapis.com/oauth2/v1/certs?cluster=jwt.www.googleapis.com|443 // string jwks_uri = 3; - // This field is specific for Envoy proxy implementation. - // It is the cluster name in the Envoy "cluster_manager" config section. - // In order for Envoy to call "jwks_uri", its host has to be specified - // as a "cluster" in the config for each jwks_uri. - string jwks_uri_cluster = 4; - // Duration after which the cached public key should be expired. If not // specified, default cache duration is 5 minutes. - google.protobuf.Duration public_key_cache_duration = 5; + google.protobuf.Duration public_key_cache_duration = 4; // If false, the JWT is removed in the request after a success verification. // Set it true, if don't want it to be removed. // Default value is false which is to remove JWT. - google.protobuf.BoolValue forward_jwt = 6; + bool forward_jwt = 5; // If true, the request is allowed if the JWT verification fails. // Default value is false; JWT verification failed request will be rejected. - google.protobuf.BoolValue allow_failed_jwt = 7; + bool allow_failed_jwt = 6; // Two fields below define where to extract the JWT from an HTTP request. // @@ -115,7 +137,7 @@ message JsonWebToken { // // x-goog-iap-jwt-assertion: . // - repeated JwtHeader jwt_headers = 8; + repeated JwtHeader jwt_headers = 7; // JWT is sent in a query parameter. `jwt_params` represents the // query parameter names. @@ -131,7 +153,7 @@ message JsonWebToken { // // /path?jwt_token= // - repeated string jwt_params = 9; + repeated string jwt_params = 8; } // This message specifies a header location to extract JWT token. @@ -171,17 +193,17 @@ message HttpMatcher { // If a JWT is sucessfully verified, header "sec-istio-auth-userinfo" will // be added with base64 encoded JSON payload to be send to the backend. // [#not-implemented-hide:] -message JSONWebTokenAuthentication { +message JWTAuthentication { // List of JWT rules to valide. // // If the request includes a JWT, it must match one of the JWT listed // here with the same issuer. // - repeated JsonWebToken jwts = 1; + repeated JWT jwt_rules = 1; // If true, the request is allowed if JWT is missing. // Default is not allowed. - google.protobuf.BoolValue allow_missing_jwt = 2; + bool allow_missing_jwt = 2; // This applies when JWT is missing and allow_missing_jwt is false. // If a request doesn't have JWT, it will be rejected. From 42fc1f75ce8c197a98d9abd901228846e6092e93 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 13 Mar 2018 01:07:39 +0000 Subject: [PATCH 14/28] Fix README format Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index b6d1e610e..6c9ad4aed 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -10,9 +10,9 @@ - Issuer (and audience) should be valid and are specified in the config. 3. In order to verify JWT, [JWKS](https://tools.ietf.org/html/rfc7517#appendix-A) can be fetched from a remote server by the filter. JWKS will be cached by Envoy. - + 3. If JWT is valid, the user is authenticated and the request will be passed to the backend server. Verified JWT payload will be added as a new HTTP header to be passed to the backend server, and original JWT will be removed. If JWT is not valid, the request will be rejected with an error message. - + ## The locations to extract JWT JWT will be extracted from the HTTP headers or query parameters. If not extract location specified, the default location is the HTTP header: @@ -32,7 +32,7 @@ If a JWT has been suceessfully verified, its payload will be passed to the backe ## Fetch remote JWKS. -JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify jwks_uri in the format as: +JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify jwks_uri in the format as: ``` jwks_uri: JWKS_URI?cluster=cluster_name ``` From d5b1617576200aa2f7bac94b3cc1639956ae1254 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 13 Mar 2018 17:15:16 +0000 Subject: [PATCH 15/28] Added back jwks_uri_cluster Signed-off-by: Wayne Zhang --- .../config/filter/http/jwt_authn/v2/README.md | 7 +-- .../filter/http/jwt_authn/v2/config.proto | 48 ++++++++++++++----- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index 6c9ad4aed..eeef6f598 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -32,9 +32,9 @@ If a JWT has been suceessfully verified, its payload will be passed to the backe ## Fetch remote JWKS. -JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify jwks_uri in the format as: +JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify the cluster name in the jwks_uri_cluster field. ``` -jwks_uri: JWKS_URI?cluster=cluster_name +jwks_uri_cluster: cluster_name ``` ## Example config. @@ -73,7 +73,8 @@ Here is the Envoy HTTP filter config example: "jwt_rules": [ { "issuer": "628645741881-noabiu23f5a8m8ovd8ucv698lj78vv0l@developer.gserviceaccount.com", - "jwks_uri": "http://localhost:8081/?cluster=jwks_cluster", + "jwks_uri": "http://localhost:8081/", + "jwks_uri_cluster": "jwks_cluster", } ] } diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 99521436f..80a99ba88 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -53,11 +53,20 @@ message JWT { // See `OpenID Discovery // `_ // - // Before Envoy supports dynamic cluster, a dedicated cluster must - // be created in the "cluster_manager" envoy config section for the host part - // of the URI, its name must be appended to jwks_uri as "?cluster=name". + // Example: jwks_uri: + // + // .. code-block:: yaml + // + // jwks_uri: https://www.googleapis.com/oauth2/v1/certs + // + string jwks_uri = 3; + + // This field is specific for Envoy proxy implementation. + // It is the cluster name in the Envoy "cluster_manager" config section. + // In order for Envoy to call "jwks_uri", its host has to be specified + // as a "cluster" in the config for each jwks_uri. // - // Example: jwks envoy cluster: + // Example: jwks cluster in "cluster_manager" section of Envoy config. // // .. code-block:: json // @@ -80,27 +89,27 @@ message JWT { // } // } // - // Example: jwks_uri: + // Example: jwks_uri_cluster: // // .. code-block:: yaml // - // jwks_uri: - // https://www.googleapis.com/oauth2/v1/certs?cluster=jwt.www.googleapis.com|443 + // jwks_uri: https://www.googleapis.com/oauth2/v1/certs + // jwks_uri_cluster: jwt.www.googleapis.com|443 // - string jwks_uri = 3; + string jwks_uri_cluster = 4; // Duration after which the cached public key should be expired. If not // specified, default cache duration is 5 minutes. - google.protobuf.Duration public_key_cache_duration = 4; + google.protobuf.Duration public_key_cache_duration = 5; // If false, the JWT is removed in the request after a success verification. // Set it true, if don't want it to be removed. // Default value is false which is to remove JWT. - bool forward_jwt = 5; + bool forward_jwt = 6; // If true, the request is allowed if the JWT verification fails. // Default value is false; JWT verification failed request will be rejected. - bool allow_failed_jwt = 6; + bool allow_failed_jwt = 7; // Two fields below define where to extract the JWT from an HTTP request. // @@ -137,7 +146,7 @@ message JWT { // // x-goog-iap-jwt-assertion: . // - repeated JwtHeader jwt_headers = 7; + repeated JwtHeader jwt_headers = 8; // JWT is sent in a query parameter. `jwt_params` represents the // query parameter names. @@ -153,7 +162,20 @@ message JWT { // // /path?jwt_token= // - repeated string jwt_params = 8; + repeated string jwt_params = 9; + + // Following two fields specify if the payload of a successfully verified + // JWT should be forwarded to the backend, and how to forward it. + // The forwarded data is: base64_encoded(jwt_payload_in_JSON) + + // If false, JWT payload will be forwarded. This is the default value. + // If true, it is not forwarded. + bool not_jwt_payload = 10; + + // This field specifies the header name to forward JWT payload. + // If it is not specified, the name "sec-istio-auth-userinfo" will be used. + // If multiple JWTs needed to be forwarded, please use different header names. + string jwt_payload_header = 11; } // This message specifies a header location to extract JWT token. From 888073f50cc0515689981db9e4b226138e7bcfd5 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 15 Mar 2018 17:17:01 +0000 Subject: [PATCH 16/28] Updated to use HttpUri Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/BUILD | 5 +- .../config/filter/http/jwt_authn/v2/README.md | 11 ++- .../filter/http/jwt_authn/v2/config.proto | 89 ++++--------------- 3 files changed, 29 insertions(+), 76 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/BUILD b/envoy/config/filter/http/jwt_authn/v2/BUILD index 5b21d9584..5a092d944 100644 --- a/envoy/config/filter/http/jwt_authn/v2/BUILD +++ b/envoy/config/filter/http/jwt_authn/v2/BUILD @@ -5,5 +5,8 @@ load("//bazel:api_build_system.bzl", "api_proto_library") api_proto_library( name = "jwt_authn", srcs = ["config.proto"], - deps = ["//envoy/api/v2/route"], + deps = [ + "//envoy/api/v2/core:http_uri", + "//envoy/api/v2/route", + ], ) diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index eeef6f598..5378f04b7 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -32,9 +32,10 @@ If a JWT has been suceessfully verified, its payload will be passed to the backe ## Fetch remote JWKS. -JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify the cluster name in the jwks_uri_cluster field. +JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify the cluster name in the jwks_uri.cluster field. ``` -jwks_uri_cluster: cluster_name +jwks_uri: + cluster: cluster_name ``` ## Example config. @@ -73,8 +74,10 @@ Here is the Envoy HTTP filter config example: "jwt_rules": [ { "issuer": "628645741881-noabiu23f5a8m8ovd8ucv698lj78vv0l@developer.gserviceaccount.com", - "jwks_uri": "http://localhost:8081/", - "jwks_uri_cluster": "jwks_cluster", + "jwks_uri": { + "uri": "http://localhost:8081/", + "cluster": "jwks_cluster", + } } ] } diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 80a99ba88..20e910b8b 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -3,9 +3,9 @@ syntax = "proto3"; package envoy.config.filter.http.jwtauthn.v2; +import "envoy/api/v2/core/http_uri.proto"; import "envoy/api/v2/route/route.proto"; import "google/protobuf/duration.proto"; -import "google/protobuf/wrappers.proto"; import "validate/validate.proto"; // JSON Web Token (JWT) token format for authentication is defined @@ -57,59 +57,24 @@ message JWT { // // .. code-block:: yaml // - // jwks_uri: https://www.googleapis.com/oauth2/v1/certs + // jwks_uri: + // - uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 // - string jwks_uri = 3; - - // This field is specific for Envoy proxy implementation. - // It is the cluster name in the Envoy "cluster_manager" config section. - // In order for Envoy to call "jwks_uri", its host has to be specified - // as a "cluster" in the config for each jwks_uri. - // - // Example: jwks cluster in "cluster_manager" section of Envoy config. - // - // .. code-block:: json - // - // { - // "name": "jwt.www.googleapis.com|443", - // "connect_timeout_ms": 1000, - // "type": "strict_dns", - // "lb_type": "round_robin", - // "hosts": [ - // { - // "url": "tcp://www.googleapis.com:443" - // } - // ], - // "ssl_context": {}, - // "circuit_breakers": { - // "default": { - // "max_pending_requests": 10000, - // "max_requests": 10000 - // } - // } - // } - // - // Example: jwks_uri_cluster: - // - // .. code-block:: yaml - // - // jwks_uri: https://www.googleapis.com/oauth2/v1/certs - // jwks_uri_cluster: jwt.www.googleapis.com|443 - // - string jwks_uri_cluster = 4; + envoy.api.v2.core.HttpUri jwks_uri = 3; // Duration after which the cached public key should be expired. If not // specified, default cache duration is 5 minutes. - google.protobuf.Duration public_key_cache_duration = 5; + google.protobuf.Duration public_key_cache_duration = 4; // If false, the JWT is removed in the request after a success verification. // Set it true, if don't want it to be removed. // Default value is false which is to remove JWT. - bool forward_jwt = 6; + bool forward_jwt = 5; // If true, the request is allowed if the JWT verification fails. // Default value is false; JWT verification failed request will be rejected. - bool allow_failed_jwt = 7; + bool allow_failed_jwt = 6; // Two fields below define where to extract the JWT from an HTTP request. // @@ -146,7 +111,7 @@ message JWT { // // x-goog-iap-jwt-assertion: . // - repeated JwtHeader jwt_headers = 8; + repeated JwtHeader jwt_headers = 7; // JWT is sent in a query parameter. `jwt_params` represents the // query parameter names. @@ -162,7 +127,7 @@ message JWT { // // /path?jwt_token= // - repeated string jwt_params = 9; + repeated string jwt_params = 8; // Following two fields specify if the payload of a successfully verified // JWT should be forwarded to the backend, and how to forward it. @@ -170,12 +135,12 @@ message JWT { // If false, JWT payload will be forwarded. This is the default value. // If true, it is not forwarded. - bool not_jwt_payload = 10; + bool not_jwt_payload = 9; // This field specifies the header name to forward JWT payload. // If it is not specified, the name "sec-istio-auth-userinfo" will be used. // If multiple JWTs needed to be forwarded, please use different header names. - string jwt_payload_header = 11; + string jwt_payload_header = 10; } // This message specifies a header location to extract JWT token. @@ -193,24 +158,6 @@ message JwtHeader { string value_prefix = 2; } -// This message defines a pattern to match a HTTP request. -// A pattern is matched only if all "headers" are matched. -message HttpMatcher { - // Specifies a set of headers should match on. - // For example:: - // - // .. code-block:: yaml - // - // headers: - // - name: :method - // value: OPTIONS - // headers: - // - name: :path - // regex_match: /.* - // - repeated envoy.api.v2.route.HeaderMatcher headers = 1; -} - // This is the Envoy filter config for JSON Web Token authentication. // If a JWT is sucessfully verified, header "sec-istio-auth-userinfo" will // be added with base64 encoded JSON payload to be send to the backend. @@ -224,15 +171,15 @@ message JWTAuthentication { repeated JWT jwt_rules = 1; // If true, the request is allowed if JWT is missing. - // Default is not allowed. + // Default is false, a request without JWT is not allowed. bool allow_missing_jwt = 2; // This applies when JWT is missing and allow_missing_jwt is false. - // If a request doesn't have JWT, it will be rejected. - // But some requests can be forwarded without JWT, such as OPTIONS for CORS - // and some health checking paths. + // Under that config, if a request doesn't have JWT, it will be rejected. + // But some requests still needed to be forwarded without JWT, such as + // OPTIONS for CORS and some health checking paths. // - // Examples: bypass all CORS options requests:: + // Examples: bypass all CORS options requests // // .. code-block:: yaml // @@ -244,7 +191,7 @@ message JWTAuthentication { // - name: :path // regex_match: /.* // - // Examples: bypass /healthz check:: + // Examples: bypass /healthz check // // .. code-block:: yaml // From ef51a27dbafd19d1515867f7e61c08e9ae1e957b Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 16 Mar 2018 22:08:17 +0000 Subject: [PATCH 17/28] Update per comment Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/BUILD | 1 + .../config/filter/http/jwt_authn/v2/README.md | 72 +-------- .../filter/http/jwt_authn/v2/config.proto | 149 +++++++++++------- 3 files changed, 98 insertions(+), 124 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/BUILD b/envoy/config/filter/http/jwt_authn/v2/BUILD index 5a092d944..cc07bd29b 100644 --- a/envoy/config/filter/http/jwt_authn/v2/BUILD +++ b/envoy/config/filter/http/jwt_authn/v2/BUILD @@ -6,6 +6,7 @@ api_proto_library( name = "jwt_authn", srcs = ["config.proto"], deps = [ + "//envoy/api/v2/core:base", "//envoy/api/v2/core:http_uri", "//envoy/api/v2/route", ], diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index 5378f04b7..163aa4157 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -2,86 +2,30 @@ ## Overview -1. The proto file in this folder defines a HTTP filter config for "jwt_authn" filter. This filter will be implemented in Envoy. +1. The proto file in this folder defines an HTTP filter config for "jwt_authn" filter. 2. This filter will verify the JWT in the HTTP request as: - The signature should be valid - JWT should not be expired - - Issuer (and audience) should be valid and are specified in the config. + - Issuer and audiences are valid and specified in the filter config. -3. In order to verify JWT, [JWKS](https://tools.ietf.org/html/rfc7517#appendix-A) can be fetched from a remote server by the filter. JWKS will be cached by Envoy. +3. [JWK](https://tools.ietf.org/html/rfc7517#appendix-A) is needed to verify JWT signature. It can be fetched from a remote server or read from a local file. If the JWKS is fetched remotely, it will be cached by the filter. -3. If JWT is valid, the user is authenticated and the request will be passed to the backend server. Verified JWT payload will be added as a new HTTP header to be passed to the backend server, and original JWT will be removed. If JWT is not valid, the request will be rejected with an error message. +3. If a JWT is valid, the user is authenticated and the request will be forwarded to the backend server. If a JWT is not valid, the request will be rejected with an error message. ## The locations to extract JWT -JWT will be extracted from the HTTP headers or query parameters. If not extract location specified, the default location is the HTTP header: +JWT will be extracted from the HTTP headers or query parameters. The default location is the HTTP header: ``` Authorization: Bearer ``` -The next location is in the query parameter as: +The next default location is in the query parameter as: ``` ?access_token= ``` -2. The custom location is desired, "jwt_headers" and "jwt_params" can be used to specify custom location to extract JWT. Please see config proto for detail. +2. If a custom location is desired, "jwt_headers" and "jwt_params" can be used to specify custom locations to extract JWT. ## HTTP header to pass sucessfully verified JWT -If a JWT has been suceessfully verified, its payload will be passed to the backend in the new HTTP header "sec-istio-auth-userinfo". Its value is base64 encoded JSON. - -## Fetch remote JWKS. - -JWKS are needed to verify JWT. They can be fetched from remote servers by HTTP/HTTPS. Before Envoy can support dynamic cluster, users need to create a dedicated cluster in the "cluster_manager" Envoy config section for each remote JWKS server and specify the cluster name in the jwks_uri.cluster field. -``` -jwks_uri: - cluster: cluster_name -``` - -## Example config. - -Here is the cluster config example: -``` -"clusters": [ - { - "name": "jwks_cluster", - "connect_timeout_ms": 5000, - "type": "strict_dns", - "circuit_breakers": { - "default": { - "max_pending_requests": 10000, - "max_requests": 10000 - } - }, - "lb_type": "round_robin", - "hosts": [ - { - "url": "tcp://account.example.com:8080" - } - ] - }, - ... -] -``` - -Here is the Envoy HTTP filter config example: -``` - "filters": [ - { - "type": "decoder", - "name": "jwt_authn", - "config": { - "jwt_rules": [ - { - "issuer": "628645741881-noabiu23f5a8m8ovd8ucv698lj78vv0l@developer.gserviceaccount.com", - "jwks_uri": { - "uri": "http://localhost:8081/", - "cluster": "jwks_cluster", - } - } - ] - } - }, - ... - ] -``` +If a JWT is valid, its payload will be passed to the backend in a new HTTP header specified in `forward_jwt_header` field. Its value is base64 encoded JWT payload in JSON. diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 20e910b8b..add1009ae 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -1,16 +1,17 @@ syntax = "proto3"; -package envoy.config.filter.http.jwtauthn.v2; +package envoy.config.filter.http.jwt_authn.v2; +import "envoy/api/v2/core/base.proto"; import "envoy/api/v2/core/http_uri.proto"; import "envoy/api/v2/route/route.proto"; import "google/protobuf/duration.proto"; import "validate/validate.proto"; -// JSON Web Token (JWT) token format for authentication is defined -// `here `_. -// See `OAuth2.0 `_ and +// This message specifies how a JSON Web Token (JWT) can be verified. +// JWT format is defined `here `_. +// Please see `OAuth2.0 `_ and // `OIDC1.0 `_ for the authentication flow. // // Example: @@ -21,7 +22,12 @@ import "validate/validate.proto"; // audiences: // - bookstore_android.apps.googleusercontent.com // bookstore_web.apps.googleusercontent.com -// jwks_uri: https://example.com/.well-known/jwks.json +// remote_jwks: +// - http_uri: +// - uri: https://example.com/.well-known/jwks.json +// cluster: example_jwks_cluster +// cache_duration: +// - seconds: 300 // // [#not-implemented-hide:] message JWT { @@ -32,11 +38,12 @@ message JWT { // Example: https://securetoken.google.com // Example: 1234567-compute@developer.gserviceaccount.com // - string issuer = 1; + string issuer = 1 [(validate.rules).string.min_bytes = 1]; // The list of JWT `audiences // `_. that are allowed to // access. A JWT containing any of these audiences will be accepted. + // If not specified, will not check audiences in the token. // // Example: // @@ -48,32 +55,55 @@ message JWT { // repeated string audiences = 2; - // `Json web key set `_ URI. - // Json web key set is fetched from the URI to validate signature of the JWT. - // See `OpenID Discovery - // `_ - // - // Example: jwks_uri: - // - // .. code-block:: yaml - // - // jwks_uri: - // - uri: https://www.googleapis.com/oauth2/v1/certs - // cluster: jwt.www.googleapis.com|443 - // - envoy.api.v2.core.HttpUri jwks_uri = 3; - - // Duration after which the cached public key should be expired. If not - // specified, default cache duration is 5 minutes. - google.protobuf.Duration public_key_cache_duration = 4; + // `Json web key set `_ is + // needed. to validate signature of the JWT. This field specifies where to + // fetch JWKS. + oneof jwks_source_specifier { + option (validate.required) = true; + + // JWKS can be fetched from remote server via HTTP/HTTPS. + // This field specifies the remote HTTP URI. + // + // Example: + // + // .. code-block:: yaml + // + // remote_jwks: + // - http_uri: + // - uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // cache_duration: + // - seconds: 300 + // + RemoteJwks remote_jwks = 3; + + // JWKS is in local data source. It could be either: + // in a local file or embedded in the inline_string. + // + // Example: local file + // + // .. code-block:: yaml + // + // local_jwks: + // - filename: /etc/envoy/jwks/jwks1.txt + // + // Example: inline_string + // + // .. code-block:: yaml + // + // local_jwks: + // - inline_string: "ACADADADADA" + // + envoy.api.v2.core.DataSource local_jwks = 4; + } // If false, the JWT is removed in the request after a success verification. - // Set it true, if don't want it to be removed. - // Default value is false which is to remove JWT. + // If true, the JWT is not removed in the request. Default value is false. bool forward_jwt = 5; - // If true, the request is allowed if the JWT verification fails. - // Default value is false; JWT verification failed request will be rejected. + // If true, the request is allowed if this JWT verification fails. + // If false, a failed verification request will be rejected. + // Default value is false. bool allow_failed_jwt = 6; // Two fields below define where to extract the JWT from an HTTP request. @@ -88,14 +118,7 @@ message JWT { // Authorization: Bearer . // // 2. `access_token` query parameter. - // See `here `_ - // - // - // Only the first JWT token is verified per request if multiple tokens are - // specified. - // - // If both jwt_headers and jwt_params are specified, jwt_headers will be - // checked first. + // See `this `_ // // Specify the HTTP headers to extract JWT token. @@ -123,51 +146,57 @@ message JWT { // jwt_params: // - jwt_token // - // The query parameter is:: + // The JWT format in query parameter is:: // // /path?jwt_token= // repeated string jwt_params = 8; - // Following two fields specify if the payload of a successfully verified - // JWT should be forwarded to the backend, and how to forward it. - // The forwarded data is: base64_encoded(jwt_payload_in_JSON) + // This field specifies the header name to forward a successfully verified + // JWT payload to the backend. The forwarded data is:: + // + // base64_encoded(jwt_payload_in_JSON) + // + // If it is not specified, the payload will not be forwarded. + // If multiple JWT payloads needed to be forwarded, distinct header names + // are required. + string jwt_payload_header = 9; +} - // If false, JWT payload will be forwarded. This is the default value. - // If true, it is not forwarded. - bool not_jwt_payload = 9; +// This message specifies how to fetch JWKS from remote and how to cache it. +message RemoteJwks { + // The HTTP URI to fetch the JWKS. + // + // Example: + // + // .. code-block:: yaml + // + // http_uri: + // - uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // + envoy.api.v2.core.HttpUri http_uri = 1; - // This field specifies the header name to forward JWT payload. - // If it is not specified, the name "sec-istio-auth-userinfo" will be used. - // If multiple JWTs needed to be forwarded, please use different header names. - string jwt_payload_header = 10; + // Duration after which the cached JWKS should be expired. If not + // specified, default cache duration is 5 minutes. + google.protobuf.Duration cache_duration = 2; } // This message specifies a header location to extract JWT token. -// A HTTP header format is:: -// -// name: value_prefix -// message JwtHeader { // The HTTP header name. string name = 1; - // The value prefix. The value format is "prefix" + // The value prefix. The value format is "value_prefix" // For example, for "Authorization: Bearer ", // value_prefix="Bearer " with a space at the end. string value_prefix = 2; } -// This is the Envoy filter config for JSON Web Token authentication. -// If a JWT is sucessfully verified, header "sec-istio-auth-userinfo" will -// be added with base64 encoded JSON payload to be send to the backend. +// This is the Envoy HTTP filter config for JWT authentication. // [#not-implemented-hide:] -message JWTAuthentication { +message JwtAuthentication { // List of JWT rules to valide. - // - // If the request includes a JWT, it must match one of the JWT listed - // here with the same issuer. - // repeated JWT jwt_rules = 1; // If true, the request is allowed if JWT is missing. From fea7712409763008cfda2ae82975eff610aa9cca Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 16 Mar 2018 22:17:55 +0000 Subject: [PATCH 18/28] Change JWT to JwtRule Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/config.proto | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index add1009ae..9a152529c 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -30,7 +30,7 @@ import "validate/validate.proto"; // - seconds: 300 // // [#not-implemented-hide:] -message JWT { +message JwtRule { // Identifies the principal that issued the JWT. See // `here `_. // Usually a URL or an email address. @@ -55,7 +55,7 @@ message JWT { // repeated string audiences = 2; - // `Json web key set `_ is + // `JSON Web Key Set `_ is // needed. to validate signature of the JWT. This field specifies where to // fetch JWKS. oneof jwks_source_specifier { @@ -197,7 +197,7 @@ message JwtHeader { // [#not-implemented-hide:] message JwtAuthentication { // List of JWT rules to valide. - repeated JWT jwt_rules = 1; + repeated JwtRule jwt_rules = 1; // If true, the request is allowed if JWT is missing. // Default is false, a request without JWT is not allowed. From dba79ad331e512a57c0cbf2d53c0bb0baa045758 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 16 Mar 2018 22:24:46 +0000 Subject: [PATCH 19/28] Add validate rule for JwtHeader Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/config.proto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 9a152529c..19fdf9b4d 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -185,7 +185,7 @@ message RemoteJwks { // This message specifies a header location to extract JWT token. message JwtHeader { // The HTTP header name. - string name = 1; + string name = 1 [(validate.rules).string.min_bytes = 1]; // The value prefix. The value format is "value_prefix" // For example, for "Authorization: Bearer ", From 955ddbf065a0e3867b6b827e63f1f1bc545ad3ba Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Fri, 16 Mar 2018 22:28:05 +0000 Subject: [PATCH 20/28] Update README Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index 163aa4157..1aaeba1fe 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -24,7 +24,7 @@ The next default location is in the query parameter as: ?access_token= ``` -2. If a custom location is desired, "jwt_headers" and "jwt_params" can be used to specify custom locations to extract JWT. +If a custom location is desired, "jwt_headers" and "jwt_params" can be used to specify custom locations to extract JWT. ## HTTP header to pass sucessfully verified JWT From cec86efcc91f36a37186f84d12a7e56c8b6f1fc1 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Mon, 19 Mar 2018 19:03:09 +0000 Subject: [PATCH 21/28] Update per comment Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/README.md | 2 +- envoy/config/filter/http/jwt_authn/v2/config.proto | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index 1aaeba1fe..fde095e0d 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -1,4 +1,4 @@ -# JWT Authentication envoy HTTP filter config +# JWT Authentication HTTP filter config ## Overview diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 19fdf9b4d..f4eb2daf7 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -121,6 +121,9 @@ message JwtRule { // See `this `_ // + // Multiple JWTs can be verified for a request. Each JWT has to be extracted + // from the locations its issuer specified or from the default locations. + // Specify the HTTP headers to extract JWT token. // // For examples, following config:: From 64d6694a895680d7f3bf3bc35090b873fba0e304 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Mon, 19 Mar 2018 23:06:27 +0000 Subject: [PATCH 22/28] remove allow_failed_jwt Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index f4eb2daf7..c67c4ad12 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -101,11 +101,6 @@ message JwtRule { // If true, the JWT is not removed in the request. Default value is false. bool forward_jwt = 5; - // If true, the request is allowed if this JWT verification fails. - // If false, a failed verification request will be rejected. - // Default value is false. - bool allow_failed_jwt = 6; - // Two fields below define where to extract the JWT from an HTTP request. // // If no explicit location is specified, the following default locations are @@ -137,7 +132,7 @@ message JwtRule { // // x-goog-iap-jwt-assertion: . // - repeated JwtHeader jwt_headers = 7; + repeated JwtHeader jwt_headers = 6; // JWT is sent in a query parameter. `jwt_params` represents the // query parameter names. @@ -153,7 +148,7 @@ message JwtRule { // // /path?jwt_token= // - repeated string jwt_params = 8; + repeated string jwt_params = 7; // This field specifies the header name to forward a successfully verified // JWT payload to the backend. The forwarded data is:: @@ -163,7 +158,7 @@ message JwtRule { // If it is not specified, the payload will not be forwarded. // If multiple JWT payloads needed to be forwarded, distinct header names // are required. - string jwt_payload_header = 9; + string jwt_payload_header = 8; } // This message specifies how to fetch JWKS from remote and how to cache it. @@ -202,12 +197,15 @@ message JwtAuthentication { // List of JWT rules to valide. repeated JwtRule jwt_rules = 1; - // If true, the request is allowed if JWT is missing. - // Default is false, a request without JWT is not allowed. - bool allow_missing_jwt = 2; + // If true, the request is allowed if JWT is missing or JWT + // verification fails. + // Default is false, a request without JWT or failed JWT verification + // is not allowed. + bool allow_missing_or_failed_jwt = 2; - // This applies when JWT is missing and allow_missing_jwt is false. - // Under that config, if a request doesn't have JWT, it will be rejected. + // This field lists the patterns allowed to bypass JWT verification. + // This only applies when `allow_missing_or_failed_jwt` is false. + // Under this config, if a request doesn't have JWT, it will be rejected. // But some requests still needed to be forwarded without JWT, such as // OPTIONS for CORS and some health checking paths. // From 7625319c81963e5cdd8deb840ac70d8394f4bb98 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 20 Mar 2018 01:15:51 +0000 Subject: [PATCH 23/28] Fix format to fix column limit of 100 Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 100 ++++++++---------- 1 file changed, 43 insertions(+), 57 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index c67c4ad12..29b37960a 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -9,10 +9,10 @@ import "envoy/api/v2/route/route.proto"; import "google/protobuf/duration.proto"; import "validate/validate.proto"; -// This message specifies how a JSON Web Token (JWT) can be verified. -// JWT format is defined `here `_. -// Please see `OAuth2.0 `_ and -// `OIDC1.0 `_ for the authentication flow. +// This message specifies how a JSON Web Token (JWT) can be verified. JWT format is defined +// `here `_. Please see `OAuth2.0 +// `_ and `OIDC1.0 `_ for +// the authentication flow. // // Example: // @@ -31,19 +31,17 @@ import "validate/validate.proto"; // // [#not-implemented-hide:] message JwtRule { - // Identifies the principal that issued the JWT. See - // `here `_. - // Usually a URL or an email address. + // Identifies the principal that issued the JWT. See `here + // `_. Usually a URL or an email address. // // Example: https://securetoken.google.com // Example: 1234567-compute@developer.gserviceaccount.com // string issuer = 1 [(validate.rules).string.min_bytes = 1]; - // The list of JWT `audiences - // `_. that are allowed to - // access. A JWT containing any of these audiences will be accepted. - // If not specified, will not check audiences in the token. + // The list of JWT `audiences `_. that are + // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, + // will not check audiences in the token. // // Example: // @@ -55,14 +53,13 @@ message JwtRule { // repeated string audiences = 2; - // `JSON Web Key Set `_ is - // needed. to validate signature of the JWT. This field specifies where to - // fetch JWKS. + // `JSON Web Key Set `_ is needed. to validate + // signature of the JWT. This field specifies where to fetch JWKS. oneof jwks_source_specifier { option (validate.required) = true; - // JWKS can be fetched from remote server via HTTP/HTTPS. - // This field specifies the remote HTTP URI. + // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP + // URI and how the fetched JWKS should be cached. // // Example: // @@ -77,8 +74,8 @@ message JwtRule { // RemoteJwks remote_jwks = 3; - // JWKS is in local data source. It could be either: - // in a local file or embedded in the inline_string. + // JWKS is in local data source. It could be either in a local file or embedded in the + // inline_string. // // Example: local file // @@ -97,31 +94,27 @@ message JwtRule { envoy.api.v2.core.DataSource local_jwks = 4; } - // If false, the JWT is removed in the request after a success verification. - // If true, the JWT is not removed in the request. Default value is false. + // If false, the JWT is removed in the request after a success verification. If true, the JWT is + // not removed in the request. Default value is false. bool forward_jwt = 5; // Two fields below define where to extract the JWT from an HTTP request. // - // If no explicit location is specified, the following default locations are - // tried in order: + // If no explicit location is specified, the following default locations are tried in order: // - // 1. The Authorization header using the Bearer schema. - // See `here `_ - // Example:: + // 1. The Authorization header using the Bearer schema. See `here + // `_. Example: // // Authorization: Bearer . // - // 2. `access_token` query parameter. - // See `this `_ + // 2. `access_token` query parameter. See `this + // `_ // - // Multiple JWTs can be verified for a request. Each JWT has to be extracted - // from the locations its issuer specified or from the default locations. + // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations + // its issuer specified or from the default locations. - // Specify the HTTP headers to extract JWT token. - // - // For examples, following config:: + // Specify the HTTP headers to extract JWT token. For examples, following config: // // .. code-block:: yaml // @@ -134,10 +127,9 @@ message JwtRule { // repeated JwtHeader jwt_headers = 6; - // JWT is sent in a query parameter. `jwt_params` represents the - // query parameter names. + // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. // - // For example, if config is:: + // For example, if config is: // // .. code-block:: yaml // @@ -150,22 +142,19 @@ message JwtRule { // repeated string jwt_params = 7; - // This field specifies the header name to forward a successfully verified - // JWT payload to the backend. The forwarded data is:: + // This field specifies the header name to forward a successfully verified JWT payload to the + // backend. The forwarded data is:: // // base64_encoded(jwt_payload_in_JSON) // - // If it is not specified, the payload will not be forwarded. - // If multiple JWT payloads needed to be forwarded, distinct header names - // are required. + // If it is not specified, the payload will not be forwarded. If multiple JWT payloads needed to + // be forwarded, distinct header names are required. string jwt_payload_header = 8; } // This message specifies how to fetch JWKS from remote and how to cache it. message RemoteJwks { - // The HTTP URI to fetch the JWKS. - // - // Example: + // The HTTP URI to fetch the JWKS. For example: // // .. code-block:: yaml // @@ -175,8 +164,8 @@ message RemoteJwks { // envoy.api.v2.core.HttpUri http_uri = 1; - // Duration after which the cached JWKS should be expired. If not - // specified, default cache duration is 5 minutes. + // Duration after which the cached JWKS should be expired. If not specified, default cache + // duration is 5 minutes. google.protobuf.Duration cache_duration = 2; } @@ -186,8 +175,8 @@ message JwtHeader { string name = 1 [(validate.rules).string.min_bytes = 1]; // The value prefix. The value format is "value_prefix" - // For example, for "Authorization: Bearer ", - // value_prefix="Bearer " with a space at the end. + // For example, for "Authorization: Bearer ", value_prefix="Bearer " with a space at the + // end. string value_prefix = 2; } @@ -195,19 +184,16 @@ message JwtHeader { // [#not-implemented-hide:] message JwtAuthentication { // List of JWT rules to valide. - repeated JwtRule jwt_rules = 1; + repeated JwtRule rules = 1; - // If true, the request is allowed if JWT is missing or JWT - // verification fails. - // Default is false, a request without JWT or failed JWT verification - // is not allowed. + // If true, the request is allowed if JWT is missing or JWT verification fails. + // Default is false, a request without JWT or failed JWT verification is not allowed. bool allow_missing_or_failed_jwt = 2; - // This field lists the patterns allowed to bypass JWT verification. - // This only applies when `allow_missing_or_failed_jwt` is false. - // Under this config, if a request doesn't have JWT, it will be rejected. - // But some requests still needed to be forwarded without JWT, such as - // OPTIONS for CORS and some health checking paths. + // This field lists the patterns allowed to bypass JWT verification. This only applies when + // `allow_missing_or_failed_jwt` is false. Under this config, if a request doesn't have JWT, it + // will be rejected. But some requests still needed to be forwarded without JWT, such as OPTIONS + // for CORS and some health checking paths. // // Examples: bypass all CORS options requests // From 4ca5e41e3bfb694f4822e80d3a0298802c0eb3eb Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 20 Mar 2018 16:51:52 +0000 Subject: [PATCH 24/28] remove jwt in field names Signed-off-by: Wayne Zhang --- .../filter/http/jwt_authn/v2/config.proto | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index 29b37960a..d7236575c 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -96,7 +96,7 @@ message JwtRule { // If false, the JWT is removed in the request after a success verification. If true, the JWT is // not removed in the request. Default value is false. - bool forward_jwt = 5; + bool forward = 5; // Two fields below define where to extract the JWT from an HTTP request. // @@ -118,14 +118,14 @@ message JwtRule { // // .. code-block:: yaml // - // jwt_headers: + // from_headers: // - name: x-goog-iap-jwt-assertion // // can be used to extract token from header:: // // x-goog-iap-jwt-assertion: . // - repeated JwtHeader jwt_headers = 6; + repeated JwtHeader from_headers = 6; // JWT is sent in a query parameter. `jwt_params` represents the query parameter names. // @@ -133,14 +133,14 @@ message JwtRule { // // .. code-block:: yaml // - // jwt_params: + // from_params: // - jwt_token // // The JWT format in query parameter is:: // // /path?jwt_token= // - repeated string jwt_params = 7; + repeated string from_params = 7; // This field specifies the header name to forward a successfully verified JWT payload to the // backend. The forwarded data is:: @@ -149,7 +149,7 @@ message JwtRule { // // If it is not specified, the payload will not be forwarded. If multiple JWT payloads needed to // be forwarded, distinct header names are required. - string jwt_payload_header = 8; + string forward_payload_header = 8; } // This message specifies how to fetch JWKS from remote and how to cache it. @@ -188,7 +188,7 @@ message JwtAuthentication { // If true, the request is allowed if JWT is missing or JWT verification fails. // Default is false, a request without JWT or failed JWT verification is not allowed. - bool allow_missing_or_failed_jwt = 2; + bool allow_missing_or_failed = 2; // This field lists the patterns allowed to bypass JWT verification. This only applies when // `allow_missing_or_failed_jwt` is false. Under this config, if a request doesn't have JWT, it @@ -199,7 +199,7 @@ message JwtAuthentication { // // .. code-block:: yaml // - // bypass_jwt: + // bypass: // - headers: // - name: :method // value: OPTIONS @@ -211,7 +211,7 @@ message JwtAuthentication { // // .. code-block:: yaml // - // bypass_jwt: + // bypass: // - headers: // - name: :method // value: GET @@ -219,5 +219,5 @@ message JwtAuthentication { // - name: :path // exact_match: /healthz // - repeated envoy.api.v2.route.RouteMatch bypass_jwt = 3; + repeated envoy.api.v2.route.RouteMatch bypass = 3; } From 937d521c3a77266c0b783ab7e5176303511adbb6 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 20 Mar 2018 16:58:22 +0000 Subject: [PATCH 25/28] Update README with changed field names Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index fde095e0d..2cd5eea6b 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -24,8 +24,8 @@ The next default location is in the query parameter as: ?access_token= ``` -If a custom location is desired, "jwt_headers" and "jwt_params" can be used to specify custom locations to extract JWT. +If a custom location is desired, "from_headers" and "from_params" can be used to specify custom locations to extract JWT. ## HTTP header to pass sucessfully verified JWT -If a JWT is valid, its payload will be passed to the backend in a new HTTP header specified in `forward_jwt_header` field. Its value is base64 encoded JWT payload in JSON. +If a JWT is valid, its payload will be passed to the backend in a new HTTP header specified in `forward_payload_header` field. Its value is base64 encoded JWT payload in JSON. From b21a927dad957de60247ffaa64f85d5d262750cb Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 20 Mar 2018 16:59:54 +0000 Subject: [PATCH 26/28] Update README Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2/README.md index 2cd5eea6b..d7aac1ad9 100644 --- a/envoy/config/filter/http/jwt_authn/v2/README.md +++ b/envoy/config/filter/http/jwt_authn/v2/README.md @@ -24,7 +24,7 @@ The next default location is in the query parameter as: ?access_token= ``` -If a custom location is desired, "from_headers" and "from_params" can be used to specify custom locations to extract JWT. +If a custom location is desired, `from_headers` or `from_params` can be used to specify custom locations to extract JWT. ## HTTP header to pass sucessfully verified JWT From 3c8bf24c1a5dc4f051f7c9837f1f6130f189cc7c Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 20 Mar 2018 21:09:17 +0000 Subject: [PATCH 27/28] Update comment for forward_payload_header Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/v2/config.proto | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2/config.proto index d7236575c..41d2b18b5 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2/config.proto @@ -147,8 +147,11 @@ message JwtRule { // // base64_encoded(jwt_payload_in_JSON) // - // If it is not specified, the payload will not be forwarded. If multiple JWT payloads needed to - // be forwarded, distinct header names are required. + // If it is not specified, the payload will not be forwarded. + // Multiple JWTs in a request from different issuers will be supported. Multiple JWTs from the + // same issuer will not be supported. Each issuer can config this `forward_payload_header`. If + // multiple JWTs from different issuers want to forward their payloads, their + // `forward_payload_header` should be different. string forward_payload_header = 8; } From 7dfc0f9303ebb1506cc41937ce5b7ecbd180606e Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 20 Mar 2018 21:36:12 +0000 Subject: [PATCH 28/28] rename v2 to v2alpha Signed-off-by: Wayne Zhang --- envoy/config/filter/http/jwt_authn/{v2 => v2alpha}/BUILD | 0 envoy/config/filter/http/jwt_authn/{v2 => v2alpha}/README.md | 0 envoy/config/filter/http/jwt_authn/{v2 => v2alpha}/config.proto | 2 +- 3 files changed, 1 insertion(+), 1 deletion(-) rename envoy/config/filter/http/jwt_authn/{v2 => v2alpha}/BUILD (100%) rename envoy/config/filter/http/jwt_authn/{v2 => v2alpha}/README.md (100%) rename envoy/config/filter/http/jwt_authn/{v2 => v2alpha}/config.proto (99%) diff --git a/envoy/config/filter/http/jwt_authn/v2/BUILD b/envoy/config/filter/http/jwt_authn/v2alpha/BUILD similarity index 100% rename from envoy/config/filter/http/jwt_authn/v2/BUILD rename to envoy/config/filter/http/jwt_authn/v2alpha/BUILD diff --git a/envoy/config/filter/http/jwt_authn/v2/README.md b/envoy/config/filter/http/jwt_authn/v2alpha/README.md similarity index 100% rename from envoy/config/filter/http/jwt_authn/v2/README.md rename to envoy/config/filter/http/jwt_authn/v2alpha/README.md diff --git a/envoy/config/filter/http/jwt_authn/v2/config.proto b/envoy/config/filter/http/jwt_authn/v2alpha/config.proto similarity index 99% rename from envoy/config/filter/http/jwt_authn/v2/config.proto rename to envoy/config/filter/http/jwt_authn/v2alpha/config.proto index 41d2b18b5..adab17168 100644 --- a/envoy/config/filter/http/jwt_authn/v2/config.proto +++ b/envoy/config/filter/http/jwt_authn/v2alpha/config.proto @@ -1,7 +1,7 @@ syntax = "proto3"; -package envoy.config.filter.http.jwt_authn.v2; +package envoy.config.filter.http.jwt_authn.v2alpha; import "envoy/api/v2/core/base.proto"; import "envoy/api/v2/core/http_uri.proto";