Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate ID Token when OIDC is set #5414

Open
arkodg opened this issue Mar 5, 2025 · 8 comments
Open

Validate ID Token when OIDC is set #5414

arkodg opened this issue Mar 5, 2025 · 8 comments
Assignees
@markwinter
Labels
kind/feature new feature
Milestone
v1.4.0-rc.1

Comments

@arkodg
Copy link
Contributor

arkodg commented Mar 5, 2025

Description:

Describe the desired behavior, what scenario it enables and how it
would be used.

The OIDC spec calls out verifying the ID Token https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

This be be enabled by default or opt in

[optional Relevant Links:]

Any extra documentation required to understand the issue.
@arkodg arkodg added triage help wanted Extra attention is needed kind/feature new feature and removed triage labels Mar 5, 2025
@arkodg
Copy link
Contributor Author

arkodg commented Mar 5, 2025

cc @denniskniep @zhaohuabing

@markwinter
Copy link

markwinter commented Mar 6, 2025
edited
Loading

Hey, I'm looking to start working on Envoy Gateway and wouldn't mind picking this one up

@markwinter
Copy link

/assign @markwinter

@arkodg
Copy link
Contributor Author

arkodg commented Mar 6, 2025

thanks for picking this one up @markwinter, recommend starting off with an API PR

@arkodg arkodg removed the help wanted Extra attention is needed label Mar 6, 2025
@arkodg arkodg added this to the v1.4.0-rc.1 milestone Mar 6, 2025
@zhaohuabing
Copy link
Member

zhaohuabing commented Mar 7, 2025
edited
Loading

@arkodg @markwinter I believe this needs to be supported by the Envoy OAuth2 filter first, then we can enable validation in EG.

@arkodg
Copy link
Contributor Author

arkodg commented Mar 7, 2025

@zhaohuabing can't we add jwt authn if this field is set ?

@markwinter
Copy link

markwinter commented Mar 8, 2025
edited
Loading

I found related discussions here
#2425 (comment)
envoyproxy/envoy#32805

I checked that the forward_bearer_token in the oauth2 filter will set the access token in the Authorization header
https://github.com/envoyproxy/envoy/blob/22a07c31780d8b3b95460c0cc7333ab5e14b89ab/source/extensions/filters/http/oauth2/filter.cc#L882-L884

Perhaps this can be implemented by combining oauth2 filter and jwt filter as you mentioned @arkodg , and using jwtExtrator/from_cookies to get the id token from the cookie set by oauth2 filter.

I think I know the path forward here so will start on the API PR

@markwinter markwinter mentioned this issue Mar 8, 2025
Open
@markwinter
Copy link

markwinter commented Mar 8, 2025
edited
Loading

@arkodg Opened the API PR here if you could have a look please and see if aligns with what you were thinking #5443

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@markwinter markwinter

Labels
kind/feature new feature
Projects
None yet
Milestone
v1.4.0-rc.1
Development

No branches or pull requests
3 participants
@zhaohuabing @markwinter @arkodg