-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider supporting localJWKS
for JWT Authentication
#2419
Comments
+1 for this feature. If you're maintaining your own JWT PKI, it might not be convenient to have the JWKS hosted over HTTP. There can also be issues with firewalls in restrictive environments. When previously using Istio ingress, my provisioning scripts generated the private key, JWKS, and some JWTs for admins, and built Istio's equivalent to SecurityPolicy with the JWKS in-line. It'd be great to enable that workflow in EG too. |
+1 |
cc @sgargan, the API could look like DirectResponse which provides the ability to specify a |
/assign @sgargan |
Description:
Currently, you can use a
SecurityPolicy
to configure JWT authentication by configuring theremoteJWKS
field of the JWTProvider.There may be cases where a remote JWKS endpoint may not exist or may not be directly reachable.
Envoy itself seems to support the configuration of a local_jwks attribute as an inline string or by referencing a file. I think Envoy Gateway should support this, too; either directly as an attribute of type
string
or by referencing a ConfigMap.(I don't personally need this feature at the moment, but since Envoy supports this use-case, I think it makes sense to post this as a feature request.)
The text was updated successfully, but these errors were encountered: