Question: JWT Validation & Claim Extraction with Envoy Gateway #13526
Description
Hi team,
I'm currently evaluating JWT authentication for API traffic and reviewing the documentation at:
🔗 https://agentgateway.dev/docs/kubernetes/latest/security/jwt/setup/
I would like to understand whether the approach described there can be applied directly to Envoy Gateway, or if there are recommended alternatives.
What I'm Trying to Achieve
Validate JWT tokens issued by:
- Keycloak
- Azure AD
Verify:
- Signature
- Issuer
- Audience
- Expiration
Extract selected claims (e.g. sub, preferred_username, email, groups)
Inject those claims into HTTP headers for upstream services
Questions
Compatibility with Envoy Gateway
The agentgateway.dev documentation shows how to configure:
- issuer
- jwksUri
- Validation rules
- Claim-to-header mapping
Can this same configuration model be used directly with Envoy Gateway?
If yes:
- Is there an example configuration snippet for Envoy Gateway?
- Are there any limitations compared to the agentgateway setup?
Recommended Approach for Envoy Gateway
If the documented approach does not directly apply, what is the recommended way to implement this with Envoy Gateway?
Should this be done using:
- Envoy’s native JWT Authentication filter?
- An external authentication service?
- A TrafficPolicy?
- Another recommended pattern?
Claim Extraction into Headers
What is the best-supported way in Envoy Gateway to:
- Validate the JWT
- Extract specific claims
- Inject them as headers before forwarding to upstream services
Are there examples or reference manifests demonstrating this?
Thanks in advance for your guidance — examples or links to reference configs would be greatly appreciated