Open ChristianCiach opened 8 months ago
+1 for this feature. If you're maintaining your own JWT PKI, it might not be convenient to have the JWKS hosted over HTTP. There can also be issues with firewalls in restrictive environments.
When previously using Istio ingress, my provisioning scripts generated the private key, JWKS, and some JWTs for admins, and built Istio's equivalent to SecurityPolicy with the JWKS in-line. It'd be great to enable that workflow in EG too.
+1
I have issue with Jwks async fetching failed
over HTTPS. It should be great define JWKS over ConfigMap or some other local way.
Description:
Currently, you can use a
SecurityPolicy
to configure JWT authentication by configuring theremoteJWKS
field of the JWTProvider.There may be cases where a remote JWKS endpoint may not exist or may not be directly reachable.
Envoy itself seems to support the configuration of a local_jwks attribute as an inline string or by referencing a file. I think Envoy Gateway should support this, too; either directly as an attribute of type
string
or by referencing a ConfigMap.(I don't personally need this feature at the moment, but since Envoy supports this use-case, I think it makes sense to post this as a feature request.)