Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow the remoteJWKS uri to specify a path to a file in the envoy pod. #4632

Closed
sgargan opened this issue Nov 5, 2024 · 1 comment
Closed

Allow the remoteJWKS uri to specify a path to a file in the envoy pod. #4632

sgargan opened this issue Nov 5, 2024 · 1 comment
Labels
triage

Comments

@sgargan
Copy link
Contributor

sgargan commented Nov 5, 2024

Description:

The JWT providers section of SecurityPolicy resources specify a remoteJWKS field with a uri that the key set should be downloaded from.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: policy-for-gateway
spec:
  jwt:
     providers:
         remoteJWKS:
            uri: https://example.com/jwks.json

The majority of use cases will use asymmetric keypairs and so retrieving a keyset with a public key makes sense. However, if the JWT is signed with a symmetric key then retrieving the JWKS from a remote url poses a security concern. For keysets with symmetric keys it would be more secure to load the keyset from a secret mounted into the gateway pods.

As it stands, the uri in the RemoteJWKS type could be used to make this possible. It could examine the scheme of the uri and create a jwtauthnv3.RemoteJwks instance for http/https uris or JwtProvider_LocalJwks instances with a corev3.DataSource for any uris with a file: scheme (or no scheme).

I've put together an MR to support this this, but had an open question about the name of the remoteJWKS field. Ideally this would use a name without the remote prefix (e.g. jwksSource) to futureproof further additions, but at the same time, renaming it introduces versioning/compatibility pain. Alternatively, a localJWKS field could be added to explicitly call out that it is sourced locally

Since this isn't a common use case, I'm not sure renaming remoteJWKS is necessary. The current uri field seems to handle filesystem access just fine and overloading the uri now would not stop something more explicit like localJWKS in the future. That having been said, I'd like to get everyone's opinions before continuing further with the MR.

Relevant Links:
Symmetric keys in JWKS spec

@sgargan sgargan added the triage label Nov 5, 2024
@arkodg
Copy link
Contributor

arkodg commented Nov 5, 2024

hey @sgargan closing this issue since its a dup of #2419, its a valid feature, we'd like to get into the project, would be great if you can drive #2419 , suggest starting with an API suggestion first, most existing implementations (envoyproxy and non envoy proxy based) support this, so could use those as inspiration/reference

@arkodg arkodg closed this as completed Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sgargan @arkodg