Better logging when using extauth for JWT validations

[AkshayAdsul]

Version

None

Is your feature request related to a problem? Please describe.

Currently we see below behaviour when we have JWT + OPA set up in the AuthConfig

• extauth doesn't log JWT verification failures in extauth unless extauth container's debug logs are enabled.
• enabling debug logs in extauth starts logging entire payload that envoy sends to OPA engine, this includes Authorization header as well.
• if JWT is verified successfully, no logs are generated even in debug mode We need a better way for logging and visibility.

Describe the solution you'd like

Would like the ability to log JWT failures/success but don't want the entire debug logs.

Describe alternatives you've considered

Some of the alternatives considered are the stats and access logs from the Proxy. For instance for access logging you can enable the %RESPONSE_CODE% %RESPONSE_CODE_DETAILS% %RESPONSE_FLAGS% which might give you more insights. Check this link for more details https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage

For stats you can track the extauth denials or failures. Envoy sees extauth as any other target service so there are stats generated for extauth just like anything else https://www.envoyproxy.io/docs/envoy/latest/configuration/upstream/cluster_manager/cluster_stats#config-cluster-manager-cluster-stats

Additional Context

Please refer https://solo-io.zendesk.com/agent/tickets/1594 for additional context.

[github-actions[bot]]

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.

[soloio-bot]

Zendesk ticket #1594 has been linked to this issue.