Draft: feat(translation): expand sources of JWKS required to validate JWTs #4684
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…required to validate JWTs Currently only HTTPS endpoints are supported via remoteJWKS field of the JWTProvider. This is deprecated in favor of a jwksSource field that expands the available locations JWKS content can be retireved from. Sources include an inline string in the source resource, a local file in the Gateway Container or from a Configmap/Secret. Signed-off-by: Steve Gargan <[email protected]>
sgargan
force-pushed
the
sgargan-jwks-sources
branch
from
64ac449
to
f7a8756
Compare
arkodg
reviewed
Nov 8, 2024
| // Inline, URI and Configmap/Secret contents are supported. | ||
| // | ||
| // +optional | ||
| JWKSSource *JWKSSource `json:"jwksSource"` |
There was a problem hiding this comment.
I like the jwks.Type idea !
we have been meaning to also add a backendRefs field to remoteJwks so upstream connection/traffic parameters can be controlled, relates to #3536
so the 2 options here are
- Represent backendRefs as a
Type - Keep the
remoteJwksfield, and add a new onelocalJwksto support the inline and valueRef cases
cc @envoyproxy/gateway-maintainers
There was a problem hiding this comment.
+1 for 2 as the structure is more straightfoward and less levels. It's a bit messy to add BackendCluster, URL, inline, and valueRef in a single structure.
remoteJWKS:
backendRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: backend-fqdn
port: 443
backendSettings:
retry:
numRetries: 3
perRetry:
backOff:
baseInterval: 1s
maxInterval: 5s
retryOn:
triggers: ["5xx", "gateway-error", "reset"]
localJWKS:
type: inline
vaule: xxxxxxx
jwksSource:
type: BackendCluster
backendCluster:
backendRefs:
- group: gateway.envoyproxy.io
kind: Backend
name: backend-fqdn
port: 443
backendSettings:
retry:
numRetries: 3
perRetry:
backOff:
baseInterval: 1s
maxInterval: 5s
retryOn:
triggers: ["5xx", "gateway-error", "reset"]
There was a problem hiding this comment.
thanks for sharing your thoughts folks, lets go with 2.
|
@sgargan link error: Error: ./api/v1alpha1/jwt_types.go:28: specfied ==> specified |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently only HTTPS endpoints are supported via remoteJWKS field of the JWTProvider. This is deprecated in favour of a jwksSource field that expands the available locations JWKS content can be retrieved from. Sources include an inline string in the source resource, a local file in the Gateway Container or from a Configmap/Secret.
This is a draft of the proposed JWKSource structure for discussion ahead of implentation.
Fixes #2419