jwt_authn: Add header_to_metadata

[dio]

Commit Message:

This patch adds the header_to_metadata field to the JwtProvider config to allow setting the extracted header of a successfully verified JWT to dynamic metadata.

Additional Description:
Risk Level: Low, a new feature
Testing: Added
Docs Changes: Added
Release Notes: Added
Platform-Specific Features: N/A
Fixes #18138

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #18140 was opened by dio.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #18140 was opened by dio.

see: more, trace.

[lizfeed]

Thanks for the quick response! I've verified I can log this new metadata field in this release. I use envoy_data_plane, so I can also verify that the protobufs are generated correctly at least for python.

[yangminzhu]

what if payload_in_metadata is the same as header_in_metadata? Is it allowed?

[qiwzhang]

it should not be allowed, please add comment on this restriction.

[dio]

Added a warning section. Please let me know if we want to validate this when checking the config.

[yangminzhu]

hmm, the current comment says ... is not allowed ... which I would expect the validation is going to reject the config, or you can just update the comment to be more accurate (it's not suggested due to potential override but can still be used (won't be rejected in validation) if the user is sure it won't have any override for their use case).

[dio]

@yangminzhu I updated as you suggested.

[yangminzhu]

hmm, the current comment says ... is not allowed ... which I would expect the validation is going to reject the config, or you can just update the comment to be more accurate (it's not suggested due to potential override but can still be used (won't be rejected in validation) if the user is sure it won't have any override for their use case).

[yangminzhu]

set_payload_cb_ should have a more generic name as it now sets both payload and header.

[dio]

Updated.

[dio]

@qiwzhang @yangminzhu I have a question, re:

envoy/source/extensions/filters/http/jwt_authn/verifier.h

Lines 29 to 34 in a3cc673

	/**
	* Successfully verified JWT payload are stored in the struct with its
	* *fields* containing **issuer** as keys and **payload** as string values
	* This function is called before onComplete() function.
	* It will not be called if no payload to write.
	*/

. Do you think this is still correct? I'm not sure I understand there is a use-case when we do this (storing the payload as a string).

[mattklein123]

Will wait for review/approve from @yangminzhu or @qiwzhang before looking, thanks.

/wait-any

[yangminzhu]

@qiwzhang @yangminzhu I have a question, re:

envoy/source/extensions/filters/http/jwt_authn/verifier.h

Lines 29 to 34 in a3cc673

	/**
	* Successfully verified JWT payload are stored in the struct with its
	* *fields* containing **issuer** as keys and **payload** as string values
	* This function is called before onComplete() function.
	* It will not be called if no payload to write.
	*/

. Do you think this is still correct? I'm not sure I understand there is a use-case when we do this (storing the payload as a string).

storing the payload as a string is to pass the payload to backend application without the signature so that the backend can not reuse the JWT token.