Ordering of External Authorization and JWT Validation in Envoy Gateway v1.6.1

[JoshuaC15]

Hi! I have a question about the processing order of security features in Envoy Gateway.

In my current setup, clients send a short-lived “nonce” token. This token is exchanged (via an external service) for a proper JWT. I am migrating this to Envoy with External Authorization, to replace the Authorization header with the newly-issued JWT.

My question is,
Can Envoy Gateway guarantee that extAuth runs before native JWT authentication/validation, such that the JWT filter will validate only the header rewritten by extAuth?

I haven’t found explicit documentation describing the ordering between JWT authentication and External Authorization filters, or whether JWT validation is allowed to depend on headers mutated by extAuth.

If this ordering is not guaranteed or not supported, is the recommended approach to perform both the token exchange and JWT validation within External Authorization instead of relying on Envoy Gateway’s built-in JWT functionality?

Thanks in advance - any clarification on the intended or guaranteed execution order would be very helpful.

[rudrakhp]

You can find the default HTTP filter order here along with instructions to customize it. Looks like ext_authz filter is already placed before jwt_authn.