search

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.53k stars 328 forks source link

Consider supporting `localJWKS` for JWT Authentication #2419

Open ChristianCiach opened 8 months ago

ChristianCiach commented 8 months ago

Description:

Currently, you can use a SecurityPolicy to configure JWT authentication by configuring the remoteJWKS field of the JWTProvider.

There may be cases where a remote JWKS endpoint may not exist or may not be directly reachable.

Envoy itself seems to support the configuration of a local_jwks attribute as an inline string or by referencing a file. I think Envoy Gateway should support this, too; either directly as an attribute of type string or by referencing a ConfigMap.

(I don't personally need this feature at the moment, but since Envoy supports this use-case, I think it makes sense to post this as a feature request.)

mt-inside commented 6 months ago

+1 for this feature. If you're maintaining your own JWT PKI, it might not be convenient to have the JWKS hosted over HTTP. There can also be issues with firewalls in restrictive environments.

When previously using Istio ingress, my provisioning scripts generated the private key, JWKS, and some JWTs for admins, and built Istio's equivalent to SecurityPolicy with the JWKS in-line. It'd be great to enable that workflow in EG too.

s0uky commented 2 weeks ago

+1 I have issue with Jwks async fetching failed over HTTPS. It should be great define JWKS over ConfigMap or some other local way.