From e8235f2478a83ec61a0ae1c4f1581f06235be4dc Mon Sep 17 00:00:00 2001 From: "update-envoy[bot]" <135279899+update-envoy[bot]@users.noreply.github.com> Date: Tue, 17 Dec 2024 16:58:59 +0000 Subject: [PATCH] jwt_authn: Add logic to refetch JWT on KID mismatch (#36458) Signed-off-by: Arul Thileeban Sagayam Mirrored from https://github.com/envoyproxy/envoy @ 9d9569037798db45a1fa2454e31726053ae1e268 --- .../filters/http/jwt_authn/v3/config.proto | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/envoy/extensions/filters/http/jwt_authn/v3/config.proto index 99212f3ed..61f423803 100644 --- a/envoy/extensions/filters/http/jwt_authn/v3/config.proto +++ b/envoy/extensions/filters/http/jwt_authn/v3/config.proto @@ -383,6 +383,7 @@ message JwtCacheConfig { } // This message specifies how to fetch JWKS from remote and how to cache it. +// [#next-free-field: 6] message RemoteJwks { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.jwt_authn.v2alpha.RemoteJwks"; @@ -452,6 +453,24 @@ message RemoteJwks { // // config.core.v3.RetryPolicy retry_policy = 4; + + // Refetch JWKS if extracted JWT has no KID or a KID that does not match any cached JWKS's KID. + // + // + // In envoy, if :ref:`async JWKS fetching ` + // is enabled along with this field, then KID mismatch will trigger a new async fetch after appropriate backoff delay. + // + // + // If async fetching is disabled, new JWKS is fetched on demand and the cache is isolated to the fetched worker thread. + // + // There is exponential backoff built into this retrieval system for two cases to avoid DoS on JWKS Server: + // + // * If there is a request containing a JWT with no KID, a new fetch will be made for this request. Upon retrieval, + // a backoff will be triggered. + // * If there is a fetch due to KID mismatch, which results in a failed fetch or verification, a backoff will be triggered. + // + // During a backoff, no further fetches will be made due to KID mismatch. + bool refetch_jwks_on_kid_mismatch = 5; } // Fetch Jwks asynchronously in the main thread when the filter config is parsed.