api config: Refactor jwt_auth filter config#3428
Closed
nickrmc83 wants to merge 1 commit intoenvoyproxy:masterfrom
Closed
api config: Refactor jwt_auth filter config#3428nickrmc83 wants to merge 1 commit intoenvoyproxy:masterfrom
nickrmc83 wants to merge 1 commit intoenvoyproxy:masterfrom
Conversation
This is the first in a series of PRs for introducing OpenID Connect and Session Management filters to envoy. Refactor jwt_auth filter config to aid re-usability of the JWT verification code in new OIDC filter. Added initial OpenID Connect Filter config defintions. These are subject to change. Design drafts and previous discussion from the istio-sec WG: - https://docs.google.com/document/d/1mGpUsRgmA9wPB73trfTiB9YUuwYh-31iulYg9USxe0Y/edit?usp=sharing - https://docs.google.com/document/d/1oRoHt0iDBYRd_ETEtGJiNLhV1dKWMNgC6EvZAGmNcgk/edit?usp=sharing Signed-off-by: Nick A. Smith <nick.a.smith@thales-esecurity.com>
| @@ -0,0 +1,243 @@ | |||
| syntax = "proto3"; | |||
|
|
|||
| package envoy.config.filter.http.common.v1alpha; | |||
Member
There was a problem hiding this comment.
super quit drive by nit: Please put this in a more specific namespace/file/directory than "envoy.config.filter.http.common.v1alpha"
Contributor
|
Hi @nickrmc83 The jwt_authn config is here now I also have a PR: #3381 Please rebase your change to them |
Contributor
Author
Contributor
|
Looks like this hasn't been touched in a bit. Nick, any objection if we close this off for now, and you can reopen when it's ready for another look? |
Contributor
Author
|
Yeah no problem.
…On Tue, 29 May 2018, 14:47 alyssawilk, ***@***.***> wrote:
Looks like this hasn't been touched in a bit. Nick, any objection if we
close this off for now, and you can reopen when it's ready for another look?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3428 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABhXUPpwM-TKB1yPjhXLDkEbNrj5ZgqNks5t3VFcgaJpZM4UDzEo>
.
|
|
Hi @nickrmc83 I was wondering where this was at. Are you still working on this? We are also interested in introducing OIDC to Envoy. |
Contributor
Author
|
Yes, this is still alive and being worked on in the istio security working
group but this PR is dead. #4242 is
an initial enabler for further pull requests. If you're interested I'd
encourage participation in the istio security WG.
…On Fri, 31 Aug 2018, 14:55 David Adams, ***@***.***> wrote:
Hi @nickrmc83 <https://github.com/nickrmc83> I was wondering where this
was at. Are you still working on this? We are also interested in
introducing OIDC to Envoy.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3428 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABhXUDA9uKbhfeLh4h4gIv10blIZBpinks5uWUA4gaJpZM4UDzEo>
.
|
Contributor
Author
|
And https://github.com/ThalesIgnite/proxy/tree/gitlab/src/envoy/http/oidc is a PoC implementation that is being productized |
|
@nickrmc83 Thank you. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Nick A. Smith nick.a.smith@thales-esecurity.com
Description:
This is the first in a series of PRs for introducing OpenID Connect (OIDC) and Session Management filters to envoy. The primary goal of this PR is to split the istio jwt_authn filter's configuration API in two. The reason for this is to isolate the JWT verification code from the forwarding rules thus making it easier to re-use the verification logic in multiple filters.
Refactor jwt_auth filter config to aid re-usability of the JWT verification code in new OIDC filter.
Added initial OpenID Connect Filter config defintions. These are subject to change.
Design drafts and previous discussion from the istio-sec WG:
Risk Level: Medium
Testing:
NA
Docs Changes:
None