doc: add doc for Jwt_authn filter#4527
Conversation
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
|
Ready for review. PTAL |
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Thanks for putting this together, first round of feedback.
| // | ||
| // - match: | ||
| // prefix: "/healthz" | ||
| // prefix: "/healthz" |
There was a problem hiding this comment.
Nit: can drop these superfluous "..." in the YAML fragments.
| JWT Authentication | ||
| ================== | ||
|
|
||
| This HTTP filter can be used to verify JSON Web Token (JWT). It will verify its signature, expiration time, audiences and issuer. If the JWT verification fails, its request will be rejected. If the JWT verification success, its payload could be forwarded to the upstream for further authorization if desired. |
There was a problem hiding this comment.
s/success/succeeds/, s/could be forwarded/can be forwarded/
| Configuration | ||
| ------------- | ||
|
|
||
| This HTTP :ref:`filer config <envoy_api_msg_config.filter.http.jwt_authn.v2alpha.JwtAuthentication>` has two fields, *providers* and *rules*. Field *providers* specifies how a JWT should be verified, such as where to extract the token, where to fetch the public key (JWKS) and where to output its payload. Field *rules* specifies matching rules and their requirements. It a request matches a rule, its requirement applies. The requirement specifies which JWT providers should be used. |
There was a problem hiding this comment.
s/It a request matches/If a request matches/
| JwtProvider | ||
| ~~~~~~~~~~~ | ||
|
|
||
| :ref:`JwtProvider <envoy_api_msg_config.filter.http.jwt_authn.v2alpha.JwtProvider>` specifies how a JWT should be verified. It has following fields: |
There was a problem hiding this comment.
s/It has following/It has the following/
|
|
||
| * *issuer*: the principal that issued the JWT, usually a URL or an email address. | ||
| * *audiences*: a list of JWT audiences allowed to access. A JWT containing any of these audiences will be accepted. | ||
| If not specified, will not check audiences in the JWT. |
There was a problem hiding this comment.
If not specified, the audience will not be checked in the JWT.
| * *forward*: if true, JWT will be forwarded to the upstream. | ||
| * *from_headers*: extract JWT from HTTP headers. | ||
| * *from_params*: extract JWT from query parameters. | ||
| * *forward_payload_header*: forward the JWT payload in the specified HTTP header. |
There was a problem hiding this comment.
Ideally most of the field descriptions can be figure out from the proto docs, but if you want to include it here, this is good. We do need to make sure they stay in sync though.
|
|
||
| Authorization: Bearer <token> | ||
|
|
||
| If fails to extract a JWT from above header, then check query parameter key *access_token* as this example:: |
There was a problem hiding this comment.
s/as this example/as in this example/
|
|
||
| **Important note** for *remote_jwks*, a **jwks_cluster** cluster is required for Envoy to talk to a JWKS server. Due to this, `OpenID connection discovery <https://openid.net/specs/openid-connect-discovery-1_0.html>`_ is not supported since the URL to fetch JWKS is in the response of the discovery. It is not easy to setup a cluster config for a dynamic URL. | ||
|
|
||
| JwtProvider config example one |
There was a problem hiding this comment.
Prefer semantic naming of config examples to "one"/"two", e.g. "simple", "header-based"..
|
|
||
| * *provider_name* is **provider_name1** | ||
| * *issuer* is **https://example.com** | ||
| * *audiences*: **bookstore_android.apps.googleusercontent.com** and **bookstore_web.apps.googleusercontent.com** |
There was a problem hiding this comment.
I don't think we need the trivial field correspondences to be explained, only the ones with some point-of-interest.
| RequirementRule | ||
| ~~~~~~~~~~~~~~~ | ||
|
|
||
| :ref:`RequirementRule <envoy_api_msg_config.filter.http.jwt_authn.v2alpha.RequirementRule>` has two fields: *match* and *requires*. The field *match* specifies how a request can be matched; e.g. by HTTP headers, or by query parameters, or by path prefixes. The field *requires* specifies the JWT requirement, e.g. which provider is required. Multiple providers may be required in such complex forms as "require_all" or "require_any". |
There was a problem hiding this comment.
Something like this seems to make sense to do inline in the API docs rather than independent RST.
There was a problem hiding this comment.
Removed most of them
| JWT Authentication | ||
| ================== | ||
|
|
||
| This HTTP filter can be used to verify JSON Web Token (JWT). It will verify its signature, expiration time, audiences and issuer. If the JWT verification fails, its request will be rejected. If the JWT verification success, its payload could be forwarded to the upstream for further authorization if desired. |
There was a problem hiding this comment.
There is a check for not before time too
|
|
||
| /path?access_token=<JWT> | ||
|
|
||
| In the :ref:`filter config <envoy_api_msg_config.filter.http.jwt_authn.v2alpha.JwtAuthentication>`, *providers* is a map, to map *provider_name* to a :ref:`JwtProvider <envoy_api_msg_config.filter.http.jwt_authn.v2alpha.JwtProvider>`. The *provider_name* has to be unique, it is referred in the `JwtRequirement <envoy_api_msg_config.filter.http.jwt_authn.v2alpha.JwtRequirement>` in its *provider_name* field. |
There was a problem hiding this comment.
The *provider_name* must be unique?
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Looks good, one last minor change from my side.
| * Field *match* specifies how a request can be matched; e.g. by HTTP headers, or by query parameters, or by path prefixes. | ||
| * Field *requires* specifies the JWT requirement, e.g. which provider is required. | ||
|
|
||
| **Important notes:** |
There was a problem hiding this comment.
Can you use Sphinx RST directives for this? http://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html#directives
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
| // the authentication flow. | ||
| // Please see following for JWT authentication flow: | ||
| // | ||
| // * `JWT format <https://tools.ietf.org/html/rfc7519>`_ |
There was a problem hiding this comment.
nit: Can you update the link title matches the document linked to?
i.e. JSON Web Token (JWT), The OAuth 2.0 Authorization Framework, OpenID Connect
| hosts: | ||
| socket_address: | ||
| address: example.com | ||
| portValue: 80 |
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
update doc for jwt_authn http filter format config.proto comment for doc add a new rst file: docs/root/configuration/http_filters/jwt_authn_filter.rst Risk Level: None Docs Changes: Yes Signed-off-by: Wayne Zhang <qiwzhang@google.com> Signed-off-by: Aaltan Ahmad <aa@stripe.com>
4 participants
Description: update doc for jwt_authn http filter
Risk Level: None
Docs Changes: Yes