Dynamically fetch jwks based on configured URI

[tylerschultz]

Placeholder issue. Details TBD.

[nickrmc83]

See https://openid.net/specs/openid-connect-discovery-1_0.html https://github.com/envoyproxy/envoy/blob/master/source/extensions/filters/http/common/jwks_fetcher.cc

[sebster]

This would be really useful to have. Especially with many environments and many back-ends, it makes the configuration less error prone and a lot more convenient.

[incfly]

Seems like we already have some feature requests. @Shikugawa is already working on this.

[incfly]

@Shikugawa Can you work on providing documentation and verify this works E2E? I tried myself but not working when using JWKS URI, (changing this back to the inlined jwks would work again).

---

Ways to reproduce

1. Follow instructions in book-info/readme.md
2. Setup image to (You can build your own and swap to make sure), via helm --set authservie.image="ghcr.io/istio-ecosystem/authservice/authservice:dev"
3. Change the config.yaml as

"jwks_fetcher": {
                  "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs"
                },

4. port forwarding, send requests, etc. You will see the request stuck at the callback. the authserivce pod has the error as , authsvc.log

[Shikugawa]

@Shikugawa Can you work on providing documentation and verify this works E2E? I tried myself but not working when using JWKS URI, (changing this back to the inlined jwks would work again).

Ways to reproduce

1. Follow instructions in book-info/readme.md
2. Setup image to (You can build your own and swap to make sure), via helm --set authservie.image="ghcr.io/istio-ecosystem/authservice/authservice:dev"
3. Change the config.yaml as

"jwks_fetcher": {
                  "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs"
                },

1. port forwarding, send requests, etc. You will see the request stuck at the callback. the authserivce pod has the error as , authsvc.log

@incfly Seems curious. Let me check.