Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider supporting localJWKS for JWT Authentication #2419

Open
ChristianCiach opened this issue Jan 8, 2024 · 3 comments · May be fixed by #4684
Open

Consider supporting localJWKS for JWT Authentication #2419

ChristianCiach opened this issue Jan 8, 2024 · 3 comments · May be fixed by #4684
Labels
area/api API-related issues help wanted Extra attention is needed
Milestone
v1.3.0-rc.1

Comments

@ChristianCiach
Copy link

ChristianCiach commented Jan 8, 2024
edited
Loading

Description:

Currently, you can use a SecurityPolicy to configure JWT authentication by configuring the remoteJWKS field of the JWTProvider.

There may be cases where a remote JWKS endpoint may not exist or may not be directly reachable.

Envoy itself seems to support the configuration of a local_jwks attribute as an inline string or by referencing a file. I think Envoy Gateway should support this, too; either directly as an attribute of type string or by referencing a ConfigMap.

(I don't personally need this feature at the moment, but since Envoy supports this use-case, I think it makes sense to post this as a feature request.)
@arkodg arkodg added help wanted Extra attention is needed area/api API-related issues road-to-ga labels Jan 8, 2024
@arkodg arkodg added this to the v1.0.0-rc1 milestone Jan 8, 2024
@arkodg arkodg removed the triage label Jan 8, 2024
@arkodg arkodg removed the road-to-ga label Feb 8, 2024
@arkodg arkodg modified the milestones: v1.0.0-rc1, Backlog Feb 8, 2024
@mt-inside
Copy link
Contributor

+1 for this feature. If you're maintaining your own JWT PKI, it might not be convenient to have the JWKS hosted over HTTP. There can also be issues with firewalls in restrictive environments.

When previously using Istio ingress, my provisioning scripts generated the private key, JWKS, and some JWTs for admins, and built Istio's equivalent to SecurityPolicy with the JWKS in-line. It'd be great to enable that workflow in EG too.

@arkodg arkodg modified the milestones: Backlog, v1.1.0-rc1 May 23, 2024
@arkodg arkodg modified the milestones: v1.1.0-rc1, Backlog Jun 25, 2024
@s0uky
Copy link

s0uky commented Aug 28, 2024

+1
I have issue with Jwks async fetching failed over HTTPS. It should be great define JWKS over ConfigMap or some other local way.

@arkodg arkodg modified the milestones: Backlog, v1.2.0-rc1 Aug 28, 2024
@arkodg arkodg modified the milestones: v1.2.0-rc1, Backlog Oct 10, 2024
@arkodg arkodg mentioned this issue Nov 5, 2024
Closed
@arkodg
Copy link
Contributor

arkodg commented Nov 5, 2024

cc @sgargan, the API could look like DirectResponse which provides the ability to specify a Inline value for a ValueRef (only ConfigMap is supported)

@sgargan sgargan linked a pull request Nov 8, 2024 that will close this issue
Open
@arkodg arkodg modified the milestones: Backlog, v1.3.0-rc.1 Nov 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/api API-related issues help wanted Extra attention is needed
Projects
No open projects
Envoy Gateway: The Road to GA
Status: Todo
Milestone
v1.3.0-rc.1
Development

Successfully merging a pull request may close this issue.

Draft: feat(translation): expand sources of JWKS required to validate JWTs sgargan/gateway
4 participants
@mt-inside @arkodg @ChristianCiach @s0uky