Open edubonifs opened 10 months ago
It could be fixed with the new version of ext-auth, see the issue linked above. PTAL @edubonifs
Hi, I just tested in GE enterprise 1.15.6 and I am still not able to extract the claim as a header when the JWT validation fails
Still doesn't work in GEE 1.16.4. IIRC VirtualService JWT option is translated to jwt filter directly in envoy so new extauth version doesn't change the behavior.
This was fixed a while ago in GME with this PR: https://github.com/solo-io/gloo-mesh-enterprise/pull/11113
This is a Gloo Gateway <-> Gloo Mesh Gateway feature parity concern.
Gloo Edge Product
Enterprise
Gloo Edge Version
1.15
Is your feature request related to a problem? Please describe.
When I set allowMissingOrFailed: true then claimsToHeaders is applied to the upstream request as expected. When I set allowMissingOrFailed: true then claimsToHeaders is not applied. You need to be able to set allowMissingOrFailed: true to combine a JWTStaged AfterExtAuth with a customExtAuth.
we have a customer that wants to route based on the claims of a jwt which was issued by a custom extauth. So extauth issues jwt, and then we need to perform jwtStaged afterExtAuth in order to do claimToHeaders, but they don't want to perform verification for the jwt, just claimToHeaders. However, if we set allowMissingOrFailed: true, claimToHeaders is not done.
I saw a github issue for GM that seems exactly the same case: https://github.com/solo-io/gloo-mesh-enterprise/issues/10588
Describe the solution you'd like
When I set allowMissingOrFailed: true then claimsToHeaders is applied even though the request didn't pass, as we might don't want to do verification, but just claimToHeaders.
If this implemented in GPmaybe it is easier to implement it in GE
Describe alternatives you've considered
No response
Additional Context
For reproducing, just create a VirtualService with stagedJwt using httpbin:
And check that if allowMissingOrFailedJwt is false, we can see the org header:
But if I have allowMissingOrFailedJwt is true, I don't see the header any more: