From fa6790bb1ec468ee41c25849828241f724ce70e1 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Mon, 2 Nov 2020 17:30:11 -0800 Subject: [PATCH 1/8] Update to jwt_verify_lib with 1 minute clock skew Signed-off-by: Wayne Zhang --- bazel/repository_locations.bzl | 6 ++--- .../filters/http/jwt_authn/authenticator.cc | 26 +++++-------------- 2 files changed, 9 insertions(+), 23 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 974c9deea62b2..08db10be2b044 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -408,13 +408,13 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "jwt_verify_lib", project_desc = "JWT verification library for C++", project_url = "https://github.com/google/jwt_verify_lib", - version = "7276a339af8426724b744216f619c99152f8c141", - sha256 = "f1fde4f3ebb3b2d841332c7a02a4b50e0529a19709934c63bc6208d1bbe28fb1", + version = "98b2d895cbc8bbd5f0dc0e023ab2db5527df0e9d", + sha256 = "5e002c56750d4ec0229420fc87c128e81b6937f6af3031b2d523e0016891048a", strip_prefix = "jwt_verify_lib-{version}", urls = ["https://github.com/google/jwt_verify_lib/archive/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = ["envoy.filters.http.jwt_authn"], - release_date = "2020-07-10", + release_date = "2020-11-02", cpe = "N/A", ), com_github_nodejs_http_parser = dict( diff --git a/source/extensions/filters/http/jwt_authn/authenticator.cc b/source/extensions/filters/http/jwt_authn/authenticator.cc index 1b73eeaf08b22..acc20daec4bb7 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.cc +++ b/source/extensions/filters/http/jwt_authn/authenticator.cc @@ -141,7 +141,7 @@ void AuthenticatorImpl::startVerify() { jwt_ = std::make_unique<::google::jwt_verify::Jwt>(); ENVOY_LOG(debug, "{}: Parse Jwt {}", name(), curr_token_->token()); - const Status status = jwt_->parseFromString(curr_token_->token()); + Status status = jwt_->parseFromString(curr_token_->token()); if (status != Status::Ok) { doneWithStatus(status); return; @@ -163,24 +163,9 @@ void AuthenticatorImpl::startVerify() { } } - // TODO(qiwzhang): Cross-platform-wise the below unix_timestamp code is wrong as the - // epoch is not guaranteed to be defined as the unix epoch. We should use - // the abseil time functionality instead or use the jwt_verify_lib to check - // the validity of a JWT. - // Check "exp" claim. - const uint64_t unix_timestamp = - std::chrono::duration_cast(timeSource().systemTime().time_since_epoch()) - .count(); - // If the nbf claim does *not* appear in the JWT, then the nbf field is defaulted - // to 0. - if (jwt_->nbf_ > unix_timestamp) { - doneWithStatus(Status::JwtNotYetValid); - return; - } - // If the exp claim does *not* appear in the JWT then the exp field is defaulted - // to 0. - if (jwt_->exp_ > 0 && jwt_->exp_ < unix_timestamp) { - doneWithStatus(Status::JwtExpired); + status = jwt_->verifyTimeConstraint(); + if (status != Status::Ok) { + doneWithStatus(status); return; } @@ -247,7 +232,8 @@ void AuthenticatorImpl::onDestroy() { // Verify with a specific public key. void AuthenticatorImpl::verifyKey() { - const Status status = ::google::jwt_verify::verifyJwt(*jwt_, *jwks_data_->getJwksObj()); + const Status status = + ::google::jwt_verify::verifyJwtWithoutTimeChecking(*jwt_, *jwks_data_->getJwksObj()); if (status != Status::Ok) { doneWithStatus(status); return; From a7dfae2dba03ac3a9bea26beb7aaf39bc2c69953 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Wed, 4 Nov 2020 17:22:26 -0800 Subject: [PATCH 2/8] add configurable clock skew Signed-off-by: Wayne Zhang --- .../filters/http/jwt_authn/v3/config.proto | 6 +++++- .../filters/http/jwt_authn/v4alpha/config.proto | 6 +++++- bazel/repository_locations.bzl | 6 +++--- .../filters/http/jwt_authn/v3/config.proto | 6 +++++- .../filters/http/jwt_authn/v4alpha/config.proto | 6 +++++- .../filters/http/jwt_authn/authenticator.cc | 17 +++++++++++------ 6 files changed, 34 insertions(+), 13 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 0e4294608384f..ce16632b55ef5 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -51,7 +51,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // cache_duration: // seconds: 300 // -// [#next-free-field: 10] +// [#next-free-field: 11] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"; @@ -191,6 +191,10 @@ message JwtProvider { // exp: 1501281058 // string payload_in_metadata = 9; + + // Specify the clock skew in seconds when verifying JWT time constraint, + // such as `exp`, and `nbf`. If not specified, default is 60 seconds. + uint32 clock_skew = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 53ee84fd65ea6..0f13958e1e540 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -51,7 +51,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // cache_duration: // seconds: 300 // -// [#next-free-field: 10] +// [#next-free-field: 11] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; @@ -191,6 +191,10 @@ message JwtProvider { // exp: 1501281058 // string payload_in_metadata = 9; + + // Specify the clock skew in seconds when verifying JWT time constraint, + // such as `exp`, and `nbf`. If not specified, default is 60 seconds. + uint32 clock_skew = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index 08db10be2b044..6ba45e0fb24a4 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -408,13 +408,13 @@ REPOSITORY_LOCATIONS_SPEC = dict( project_name = "jwt_verify_lib", project_desc = "JWT verification library for C++", project_url = "https://github.com/google/jwt_verify_lib", - version = "98b2d895cbc8bbd5f0dc0e023ab2db5527df0e9d", - sha256 = "5e002c56750d4ec0229420fc87c128e81b6937f6af3031b2d523e0016891048a", + version = "28efec2e4df1072db0ed03597591360ec9f80aac", + sha256 = "7a5c35b7cbf633398503ae12cad8c2833e92b3a796eed68b6256d22d51ace5e1", strip_prefix = "jwt_verify_lib-{version}", urls = ["https://github.com/google/jwt_verify_lib/archive/{version}.tar.gz"], use_category = ["dataplane_ext"], extensions = ["envoy.filters.http.jwt_authn"], - release_date = "2020-11-02", + release_date = "2020-11-04", cpe = "N/A", ), com_github_nodejs_http_parser = dict( diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 0e4294608384f..ce16632b55ef5 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -51,7 +51,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // cache_duration: // seconds: 300 // -// [#next-free-field: 10] +// [#next-free-field: 11] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"; @@ -191,6 +191,10 @@ message JwtProvider { // exp: 1501281058 // string payload_in_metadata = 9; + + // Specify the clock skew in seconds when verifying JWT time constraint, + // such as `exp`, and `nbf`. If not specified, default is 60 seconds. + uint32 clock_skew = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 53ee84fd65ea6..0f13958e1e540 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -51,7 +51,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // cache_duration: // seconds: 300 // -// [#next-free-field: 10] +// [#next-free-field: 11] message JwtProvider { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.filters.http.jwt_authn.v3.JwtProvider"; @@ -191,6 +191,10 @@ message JwtProvider { // exp: 1501281058 // string payload_in_metadata = 9; + + // Specify the clock skew in seconds when verifying JWT time constraint, + // such as `exp`, and `nbf`. If not specified, default is 60 seconds. + uint32 clock_skew = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/source/extensions/filters/http/jwt_authn/authenticator.cc b/source/extensions/filters/http/jwt_authn/authenticator.cc index acc20daec4bb7..4124a74e9147a 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.cc +++ b/source/extensions/filters/http/jwt_authn/authenticator.cc @@ -163,18 +163,23 @@ void AuthenticatorImpl::startVerify() { } } - status = jwt_->verifyTimeConstraint(); - if (status != Status::Ok) { - doneWithStatus(status); - return; - } - // Check the issuer is configured or not. jwks_data_ = provider_ ? jwks_cache_.findByProvider(provider_.value()) : jwks_cache_.findByIssuer(jwt_->iss_); // isIssuerSpecified() check already make sure the issuer is in the cache. ASSERT(jwks_data_ != nullptr); + // Default is 60 seconds + uint64_t clock_skew = ::google::jwt_verify::kClockSkewInSecond; + if (jwks_data_->getJwtProvider().clock_skew() > 0) { + clock_skew = jwks_data_->getJwtProvider().clock_skew(); + } + status = jwt_->verifyTimeConstraint(absl::ToUnixSeconds(absl::Now()), clock_skew); + if (status != Status::Ok) { + doneWithStatus(status); + return; + } + // Check if audience is allowed bool is_allowed = check_audience_ ? check_audience_->areAudiencesAllowed(jwt_->audiences_) : jwks_data_->areAudiencesAllowed(jwt_->audiences_); From 30922ccf6012ea563eb7cca809c402658b01c8aa Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 5 Nov 2020 21:25:30 -0800 Subject: [PATCH 3/8] add a clock skew test Signed-off-by: Wayne Zhang --- .../http/jwt_authn/authenticator_test.cc | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/test/extensions/filters/http/jwt_authn/authenticator_test.cc b/test/extensions/filters/http/jwt_authn/authenticator_test.cc index e9ceb23cbbbdd..4e6b594a367f9 100644 --- a/test/extensions/filters/http/jwt_authn/authenticator_test.cc +++ b/test/extensions/filters/http/jwt_authn/authenticator_test.cc @@ -303,6 +303,23 @@ TEST_F(AuthenticatorTest, TestExpiredJWT) { expectVerifyStatus(Status::JwtExpired, headers); } +// This test verifies when a JWT is expired but with a big clock skew. +TEST_F(AuthenticatorTest, TestExpiredJWTWithABigClockSkew) { + auto& provider = (*proto_config_.mutable_providers())[std::string(ProviderName)]; + // Token is expired at 1205005587, but add clock skew at another 1205005587. + provider.set_clock_skew(1205005587); + createAuthenticator(); + + EXPECT_CALL(*raw_fetcher_, fetch(_, _, _)) + .WillOnce(Invoke([this](const envoy::config::core::v3::HttpUri&, Tracing::Span&, + JwksFetcher::JwksReceiver& receiver) { + receiver.onJwksSuccess(std::move(jwks_)); + })); + + Http::TestRequestHeaderMapImpl headers{{"Authorization", "Bearer " + std::string(ExpiredToken)}}; + expectVerifyStatus(Status::Ok, headers); +} + // This test verifies when a JWT is not yet valid, JwtNotYetValid status is returned. TEST_F(AuthenticatorTest, TestNotYetValidJWT) { EXPECT_CALL(*raw_fetcher_, fetch(_, _, _)).Times(0); From f2be3e90d2836325f88eca524b6a678dc8820922 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Tue, 10 Nov 2020 14:11:49 -0800 Subject: [PATCH 4/8] rename clock_skew to clock_skew_seconds Signed-off-by: Wayne Zhang --- .../extensions/filters/http/jwt_authn/v3/config.proto | 2 +- .../filters/http/jwt_authn/v4alpha/config.proto | 2 +- .../extensions/filters/http/jwt_authn/v3/config.proto | 2 +- .../filters/http/jwt_authn/v4alpha/config.proto | 2 +- source/extensions/filters/http/jwt_authn/authenticator.cc | 8 ++++---- .../filters/http/jwt_authn/authenticator_test.cc | 2 +- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto index ce16632b55ef5..a10fa68f30437 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -194,7 +194,7 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. - uint32 clock_skew = 10; + uint32 clock_skew_seconds = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 0f13958e1e540..2746640fa7380 100644 --- a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -194,7 +194,7 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. - uint32 clock_skew = 10; + uint32 clock_skew_seconds = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto index ce16632b55ef5..a10fa68f30437 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -194,7 +194,7 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. - uint32 clock_skew = 10; + uint32 clock_skew_seconds = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto index 0f13958e1e540..2746640fa7380 100644 --- a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto +++ b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto @@ -194,7 +194,7 @@ message JwtProvider { // Specify the clock skew in seconds when verifying JWT time constraint, // such as `exp`, and `nbf`. If not specified, default is 60 seconds. - uint32 clock_skew = 10; + uint32 clock_skew_seconds = 10; } // This message specifies how to fetch JWKS from remote and how to cache it. diff --git a/source/extensions/filters/http/jwt_authn/authenticator.cc b/source/extensions/filters/http/jwt_authn/authenticator.cc index 4124a74e9147a..cf447f68bdaac 100644 --- a/source/extensions/filters/http/jwt_authn/authenticator.cc +++ b/source/extensions/filters/http/jwt_authn/authenticator.cc @@ -170,11 +170,11 @@ void AuthenticatorImpl::startVerify() { ASSERT(jwks_data_ != nullptr); // Default is 60 seconds - uint64_t clock_skew = ::google::jwt_verify::kClockSkewInSecond; - if (jwks_data_->getJwtProvider().clock_skew() > 0) { - clock_skew = jwks_data_->getJwtProvider().clock_skew(); + uint64_t clock_skew_seconds = ::google::jwt_verify::kClockSkewInSecond; + if (jwks_data_->getJwtProvider().clock_skew_seconds() > 0) { + clock_skew_seconds = jwks_data_->getJwtProvider().clock_skew_seconds(); } - status = jwt_->verifyTimeConstraint(absl::ToUnixSeconds(absl::Now()), clock_skew); + status = jwt_->verifyTimeConstraint(absl::ToUnixSeconds(absl::Now()), clock_skew_seconds); if (status != Status::Ok) { doneWithStatus(status); return; diff --git a/test/extensions/filters/http/jwt_authn/authenticator_test.cc b/test/extensions/filters/http/jwt_authn/authenticator_test.cc index 4e6b594a367f9..fbb732a632983 100644 --- a/test/extensions/filters/http/jwt_authn/authenticator_test.cc +++ b/test/extensions/filters/http/jwt_authn/authenticator_test.cc @@ -307,7 +307,7 @@ TEST_F(AuthenticatorTest, TestExpiredJWT) { TEST_F(AuthenticatorTest, TestExpiredJWTWithABigClockSkew) { auto& provider = (*proto_config_.mutable_providers())[std::string(ProviderName)]; // Token is expired at 1205005587, but add clock skew at another 1205005587. - provider.set_clock_skew(1205005587); + provider.set_clock_skew_seconds(1205005587); createAuthenticator(); EXPECT_CALL(*raw_fetcher_, fetch(_, _, _)) From 09086eef744f5025fd3a8e647233500ca89cfef0 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Wed, 11 Nov 2020 15:24:52 -0800 Subject: [PATCH 5/8] update release note Signed-off-by: Wayne Zhang --- docs/root/version_history/current.rst | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 8d45e31362d5b..807a24d5b23e1 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -15,6 +15,7 @@ Minor Behavior Changes * ext_authz filter: disable `envoy.reloadable_features.ext_authz_measure_timeout_on_check_created` by default. * ext_authz filter: the deprecated field :ref:`use_alpha ` is no longer supported and cannot be set anymore. * grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before. +* jwt_authn filter: allows Jwt time constraint verification with a clock skew (default to 60 seconds) and added a filter config field :ref:`clock_skew_seconds ` to configure it. * tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults. * watchdog: the watchdog action :ref:`abort_action ` is now the default action to terminate the process if watchdog kill / multikill is enabled. * xds: to support TTLs, heartbeating has been added to xDS. As a result, responses that contain empty resources without updating the version will no longer be propagated to the From ca2cd681611a89dbd3eb0e8c508ddf9f758a4015 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Wed, 11 Nov 2020 15:46:09 -0800 Subject: [PATCH 6/8] fixed doc link Signed-off-by: Wayne Zhang --- docs/root/version_history/current.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 807a24d5b23e1..878be2ba210a0 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -15,7 +15,7 @@ Minor Behavior Changes * ext_authz filter: disable `envoy.reloadable_features.ext_authz_measure_timeout_on_check_created` by default. * ext_authz filter: the deprecated field :ref:`use_alpha ` is no longer supported and cannot be set anymore. * grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before. -* jwt_authn filter: allows Jwt time constraint verification with a clock skew (default to 60 seconds) and added a filter config field :ref:`clock_skew_seconds ` to configure it. +* jwt_authn filter: allows Jwt time constraint verification with a clock skew (default to 60 seconds) and added a filter config field :ref:`clock_skew_seconds ` to configure it. * tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults. * watchdog: the watchdog action :ref:`abort_action ` is now the default action to terminate the process if watchdog kill / multikill is enabled. * xds: to support TTLs, heartbeating has been added to xDS. As a result, responses that contain empty resources without updating the version will no longer be propagated to the From 7e8de8ede4a44f5cfcc4c1af2fe77d208131e0e5 Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Wed, 11 Nov 2020 16:06:22 -0800 Subject: [PATCH 7/8] fix doc link again Signed-off-by: Wayne Zhang --- docs/root/version_history/current.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 878be2ba210a0..1c5777913b886 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -15,7 +15,7 @@ Minor Behavior Changes * ext_authz filter: disable `envoy.reloadable_features.ext_authz_measure_timeout_on_check_created` by default. * ext_authz filter: the deprecated field :ref:`use_alpha ` is no longer supported and cannot be set anymore. * grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before. -* jwt_authn filter: allows Jwt time constraint verification with a clock skew (default to 60 seconds) and added a filter config field :ref:`clock_skew_seconds ` to configure it. +* jwt_authn filter: allows Jwt time constraint verification with a clock skew (default to 60 seconds) and added a filter config field :ref:`clock_skew_seconds ` to configure it. * tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults. * watchdog: the watchdog action :ref:`abort_action ` is now the default action to terminate the process if watchdog kill / multikill is enabled. * xds: to support TTLs, heartbeating has been added to xDS. As a result, responses that contain empty resources without updating the version will no longer be propagated to the From 653fc9bcae7d4bf745529a5251afffc2ceec525e Mon Sep 17 00:00:00 2001 From: Wayne Zhang Date: Thu, 12 Nov 2020 13:53:39 -0800 Subject: [PATCH 8/8] dummy doc update to trigger re-test Signed-off-by: Wayne Zhang --- docs/root/version_history/current.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst index 1c5777913b886..ae394328c5881 100644 --- a/docs/root/version_history/current.rst +++ b/docs/root/version_history/current.rst @@ -15,7 +15,7 @@ Minor Behavior Changes * ext_authz filter: disable `envoy.reloadable_features.ext_authz_measure_timeout_on_check_created` by default. * ext_authz filter: the deprecated field :ref:`use_alpha ` is no longer supported and cannot be set anymore. * grpc_web filter: if a `grpc-accept-encoding` header is present it's passed as-is to the upstream and if it isn't `grpc-accept-encoding:identity` is sent instead. The header was always overwriten with `grpc-accept-encoding:identity,deflate,gzip` before. -* jwt_authn filter: allows Jwt time constraint verification with a clock skew (default to 60 seconds) and added a filter config field :ref:`clock_skew_seconds ` to configure it. +* jwt_authn filter: added support of Jwt time constraint verification with a clock skew (default to 60 seconds) and added a filter config field :ref:`clock_skew_seconds ` to configure it. * tls: removed RSA key transport and SHA-1 cipher suites from the client-side defaults. * watchdog: the watchdog action :ref:`abort_action ` is now the default action to terminate the process if watchdog kill / multikill is enabled. * xds: to support TTLs, heartbeating has been added to xDS. As a result, responses that contain empty resources without updating the version will no longer be propagated to the