Attach jwt failure status to metadata (#10662)

Signed-off-by: day0ops <[email protected]>
Co-authored-by: Sam Heilbron <[email protected]>

Author: day0ops

changelog/v1.19.0-beta13/attach-jwt-failure-status-to-metadata.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NON_USER_FACING
+    issueLink: https://github.com/solo-io/solo-projects/issues/7837
+    resolvesIssue: false
+    description: >
+      Added a new field `attachFailedStatusToMetadata` to attach JWT failure status to dynamic metadata so that the status code and message can be logged.

docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/jwt/jwt.proto.sk.md

@@ -721,6 +721,8 @@ spec:
                           providers:
                             additionalProperties:
                               properties:
+                                attachFailedStatusToMetadata:
+                                  type: string
                                 audiences:
                                   items:
                                     type: string
@@ -801,6 +803,8 @@ spec:
                           providers:
                             additionalProperties:
                               properties:
+                                attachFailedStatusToMetadata:
+                                  type: string
                                 audiences:
                                   items:
                                     type: string

install/helm/gloo/crds/gateway.solo.io_v1_RouteOption.yaml

@@ -831,6 +831,8 @@ spec:
                                 providers:
                                   additionalProperties:
                                     properties:
+                                      attachFailedStatusToMetadata:
+                                        type: string
                                       audiences:
                                         items:
                                           type: string
@@ -911,6 +913,8 @@ spec:
                                 providers:
                                   additionalProperties:
                                     properties:
+                                      attachFailedStatusToMetadata:
+                                        type: string
                                       audiences:
                                         items:
                                           type: string

install/helm/gloo/crds/gateway.solo.io_v1_RouteTable.yaml

@@ -377,6 +377,8 @@ spec:
                       providers:
                         additionalProperties:
                           properties:
+                            attachFailedStatusToMetadata:
+                              type: string
                             audiences:
                               items:
                                 type: string
@@ -459,6 +461,8 @@ spec:
                           providers:
                             additionalProperties:
                               properties:
+                                attachFailedStatusToMetadata:
+                                  type: string
                                 audiences:
                                   items:
                                     type: string
@@ -539,6 +543,8 @@ spec:
                           providers:
                             additionalProperties:
                               properties:
+                                attachFailedStatusToMetadata:
+                                  type: string
                                 audiences:
                                   items:
                                     type: string

install/helm/gloo/crds/gateway.solo.io_v1_VirtualHostOption.yaml

@@ -467,6 +467,8 @@ spec:
                           providers:
                             additionalProperties:
                               properties:
+                                attachFailedStatusToMetadata:
+                                  type: string
                                 audiences:
                                   items:
                                     type: string
@@ -549,6 +551,8 @@ spec:
                               providers:
                                 additionalProperties:
                                   properties:
+                                    attachFailedStatusToMetadata:
+                                      type: string
                                     audiences:
                                       items:
                                         type: string
@@ -629,6 +633,8 @@ spec:
                               providers:
                                 additionalProperties:
                                   properties:
+                                    attachFailedStatusToMetadata:
+                                      type: string
                                     audiences:
                                       items:
                                         type: string
@@ -3938,6 +3944,8 @@ spec:
                                     providers:
                                       additionalProperties:
                                         properties:
+                                          attachFailedStatusToMetadata:
+                                            type: string
                                           audiences:
                                             items:
                                               type: string
@@ -4018,6 +4026,8 @@ spec:
                                     providers:
                                       additionalProperties:
                                         properties:
+                                          attachFailedStatusToMetadata:
+                                            type: string
                                           audiences:
                                             items:
                                               type: string

install/helm/gloo/crds/gateway.solo.io_v1_VirtualService.yaml

@@ -212,6 +212,21 @@ message JwtProvider {
   // Specify the clock skew in seconds when verifying JWT time constraint,
   // such as `exp`, and `nbf`. If not specified, default is 60 seconds.
   uint32 clock_skew_seconds = 10;
+
+  // If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
+  // in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
+  // The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
+  // and they will contain the JWT authentication failure status code and a message describing the failure.
+  //
+  // For example, if failed_status_in_metadata is ``my_auth_failure_status``:
+  //
+  // .. code-block:: yaml
+  //
+  //   envoy.filters.http.jwt_authn:
+  //     my_auth_failure_status:
+  //       code: 3
+  //       message: Jwt expired
+  string failed_status_in_metadata = 11;
 }
 
 // This message specifies how to fetch JWKS from remote and how to cache it.

projects/gloo/api/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -100,6 +100,14 @@ message Provider {
 
     // Optional: ClockSkewSeconds is used to verify time constraints, such as `exp` and `npf`. Default is 60s
     google.protobuf.UInt32Value clock_skew_seconds = 8;
+
+    // Optional: When this field is set, the specified value is used as the key in DynamicMetadata to store the JWT failure status code and message under that key. If the value is empty (i.e., ""), it is ignored.
+    // This field is particularly useful when logging the failure status.
+    //
+    // For example, if the value of `attach_failed_status_to_metadata` is 'custom_auth_failure_status' then
+    // the failure status can be accessed in the access log as '%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status)'
+    // Note: status code and message can be individually accessed as '%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.code)' and '%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.message)' respectively.
+    string attach_failed_status_to_metadata = 9;
 }
 
 message Jwks {