JWT Token validation without introspection endpoint

[abinet]

In current project we are using skipper to cover authorization part for applications running on AKS. OpenID flow works fine, but because Azure AD does not provide token introspection endpoint, we are not able to validate tokens in service-2-service use case. To cover this gap we implemented a new filter jwtValidation. This filter extracts Authorization Bearer token, validates using public keys of Authorization server and stores info into same map as oauthOidcUserInfo does. So we can use oidcClaimsQuery for filtering based on claims extracted from the token.

Filter parameters are:

jwtValidation(authorization_provider_url, claims, upstream_headers)

Here is the example of usage:

zalando.org/skipper-filter: jwtValidation("https://login.microsoftonline.com/<tenant_id>/v2.0/",
      "sub", "X-Remote-User:sub") -> oidcClaimsQuery("/:groups.#[==\"group-a\"]","/:groups.#[==\"group-b\"]")

It would be great to review filter functionality with skipper team and contribute back.

[aryszka]

Hi @abinet , thanks a lot. I agree with this proposal, the functionality makes a lot of sense. We also thought about it already, but we currently use a side car for this functionality internally and it was not a main priority to replace it with internal logic, but clearly, that would make the setup way simpler for everybody.

[AlexanderYastrebov]

https://github.com/zalando/skipper/issues/1752 might be related

[szuecs]

I added some comments. Mainly:

1. you do need a goroutine to refresh public keys from JWKs
2. because of 1. you don't need the authclient at all
3. because of 1. you should not fetch public keys in Request()
4. you should use a separate type for the query filter, similar to https://github.com/zalando/skipper/blob/master/filters/auth/grantclaimsquery.go

[AlexanderYastrebov]

1811 introduced https://github.com/zalando/skipper/blob/master/docs/reference/filters.md#jwtvalidation