jwt_authn: write JWT payload to dynamic metadata#4698
jwt_authn: write JWT payload to dynamic metadata#4698qiwzhang wants to merge 3 commits intoenvoyproxy:masterfrom
Conversation
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
| void storeAuth(AuthenticatorPtr&& auth) { auths_.emplace_back(std::move(auth)); } | ||
|
|
||
| // Add a pair of (issuer, payload), called by Authenticator | ||
| void addPaylod(const std::string& issuer, const std::string& payload) { |
| curr_token_->removeJwt(*headers_); | ||
| } | ||
| if (set_payload_cb_ && provider.payload_in_metadata()) { | ||
| set_payload_cb_(provider.issuer(), jwt_->payload_str_base64url_); |
There was a problem hiding this comment.
Can we set the non-decoded version? It save a call to base64 decode in the consumer.
There was a problem hiding this comment.
Actually can we parse the JSON payload into a ProtobufWkt::Struct? otherwise you won't be able to match each claim in RBAC.
Also rather than issuer as key, provider_name would be better.
There was a problem hiding this comment.
For allow_missing_or_fail rule, it doesn't need to specify provider, so there is not provider_name. In theory, there could be two ProviderInfo with same same issuer. It is a useful feature for normal cases. But for allow_missing_or_fail case, we choose the first one matched with the issuer from the JWT token, it is better not to have two providers points to the same issuer in the config.
Overall, writing issuer works for all cases, but not provider name.
| curr_token_->removeJwt(*headers_); | ||
| } | ||
| if (set_payload_cb_ && provider.payload_in_metadata()) { | ||
| set_payload_cb_(provider.issuer(), jwt_->payload_str_base64url_); |
There was a problem hiding this comment.
Actually can we parse the JSON payload into a ProtobufWkt::Struct? otherwise you won't be able to match each claim in RBAC.
Also rather than issuer as key, provider_name would be better.
| Verifier::Callbacks* callback_; | ||
| std::unordered_map<const Verifier*, CompletionState> completion_states_; | ||
| std::vector<AuthenticatorPtr> auths_; | ||
| std::vector<std::pair<std::string, std::string>> payload_pairs_; |
There was a problem hiding this comment.
Just use ProbotufWkt::Struct here?
There was a problem hiding this comment.
I am looking for a utility code to convert JSON to protobuf::Struct. Do you know any?
There was a problem hiding this comment.
How about just use MessageUtil::loadFromJson() to convert it to Struct. Not sure what it will look like?
|
Please fix build issue. |
|
sorry the build issue might not be due to master failure, fix coming in #4701 |
|
Merged - mind pulling master to pick up the fix? |
|
Sure |
|
Sorry, I pushed a wrong button to close it. |
4 participants
Signed-off-by: Wayne Zhang qiwzhang@google.com
Description:
Use dynamicMetadata in the StreamInfo to pass all successfully verified JWT payloads to other HTTP filters.
Risk Level: Low
Testing: Add unit-tests