extensions: make jwt_authn filter token-parsing more flexible (#6355)#6384
Merged
lizan merged 23 commits intoenvoyproxy:masterfrom Apr 8, 2019
Merged
Conversation
Loading
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description: modifies jwt_authn filter's ExtractorImpl extract method to use the
from_headers'svalue_prefixtag more precisely, allowing syntax like "tag=<JWT>,other=xxx" rather than simply taking the remainder of the string as the JWT candidate.See Issue #6355 for full description. Should be backwards-compatible with existing uses of jwt_authn.
Risk Level: Medium (scope: affects JWT authentication)
Testing: Unit testing was added to test/.../jwt_authn/extractor_test.cc. Since
Extractoritself does not validate the JWT, only the parsing is tested.Docs Changes: see "Further header options" section added to api/envoy/config/filter/http/jwt_authn/v2alpha/README.md
Release Notes:
Adds enhancement per Issue #6355, so that deployments can use a wider variety of HTTP header syntaxes to pass JWTs and have them authenticated by the
jwt_authnfilter. Backwards-compatible with existing usage.JWT authentication with the
jwt_authnHTTP filter now permits header syntax like the following: