EnvoyFilter jwt_authn

Question

i'm trying to use the EnvoyFilter to pass the jwt payload from the request, decode it and use the claims as headers to the request.

it does not work, and i fail to get the dynamicMetadata filled with the payload after using the jwt_authn.

here is an example of the jwt_authn filter i'm using:

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: jwt-filter
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      app: app1
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          portNumber: 3000
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.filters.http.jwt_authn
          typed_config:
            "@type": "type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"
            providers:
              authority_jwks:
                issuer: "testing@secure.istio.io"
                remote_jwks:
                  http_uri:
                    uri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json"
                    timeout: 5s
                  cache_duration: 3600s
                forward: true
                payload_in_metadata: "jwt-metadata"
                forward_payload_header: "jwt-header"

i assumed that:

for the first step, if my app is printing the request headers, the jwt-header should be one of the headers and includes the encrypted jwt.
if i'm using an envoy lua filter that gets the DynamicMetadata it will includes the jwt-metadata field.

isnt it?

Your jwt key is formatted for `RequestAuthentication` object, not envoy. The key, is actually the value to the `keys` (the one starting with {e:...). In fact, it is super easy with `RequestAuthentication` and `AuthorizationPolicy` objects, rather then `envoyFilter` Also, I am not sure if the value under patch can be `envoy.filters.http.jwt_authn`. In Istio, you usually use `envoy.jwt_authn`. — suren, Nov 09 '20 at 12:10
@suren it is true that requestAuthentication does that job in validating the token. the thing is, i needed to decrypt that token and pass some of the claims as headers. that's why i wanted to use the jwt_authn along with a lua filter to make this happen. i ended up using only lua script while decoding the token on the script iself — user14242404, Nov 10 '20 at 04:48

score 0 · Answer 1 · answered Nov 11 '20 at 20:49

The JWT filter defaults to extracting the JWT token from "Authorization: Bearer " header. Do you know if Envoy is able to read it?

You can also check envoy logs when running with trace level of logging. It prints jwt_authn logs that show what the filter is doing.

score 0 · Answer 2 · answered Nov 17 '20 at 11:21

i was able to solve it.

apparently the jwt_authn is used by default when using requetsAuthentication and i dont need to specfically define it on the EnvoyFilter.

what i did, was to add EnvoyFilter of lua script that gets the decryped JWT token like the following:

metadata = request_handle:streamInfo():dynamicMetadata():get("envoy.filters.http.jwt_authn") claims=metadata["testing@secure.istio.io"]

10x

EnvoyFilter jwt_authn

2 Answers2