envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

JWT claim extraction without signature validation?

Open ryanhristovski opened this issue 5 months ago • 2 comments

Hi, I'm working on a rate limiting use case where I need to extract claims from JWTs and pass them as headers to upstream services, but I don't need (or want) signature validation.

My situation:

  • Need to extract claims like username, plan_name, etc. and forward as HTTP headers
  • Upstream service does not support JWKS at this time
  • Currently using a Lua filter to parse JWT manually, but would prefer using the built-in JWT filter

Question: Is there any way to configure the envoy.filters.http.jwt_authn filter to extract JWT claims to headers WITHOUT validating the signature?

I've tried setting up the JWT filter with empty JWKS and allow_missing_or_failed, but I get "Jwt header [alg] is not supported" errors.

Thanks!

ryanhristovski avatar Jun 17 '25 13:06 ryanhristovski

This error is generated when key algorithm is not recognized. Here is the list of supported algorithms: https://github.com/google/jwt_verify_lib/blob/b59e8075d4a4f975ba6f109e1916d6e60aeb5613/src/jwt.cc#L31

yanavlasov avatar Jun 17 '25 19:06 yanavlasov

@yanavlasov thank you, I assume the answer is that no you can't bypass a key algorithm then?

ryanhristovski avatar Jun 18 '25 15:06 ryanhristovski

@yanavlasov I think allow_missing_or_failed will try to validate and will still proceed with extraction if validation fails. Do you think it would be useful add additional validation like skip_validation that do not try to validate and but just extract claims? There are some usecases for it.

ramaraochavali avatar Jun 21 '25 10:06 ramaraochavali

Reopening for @ramaraochavali comment, I agree there would be some use-cases for skip_validation

ryanhristovski avatar Jun 23 '25 14:06 ryanhristovski

Sounds useful. I have marked this as an enhancement.

yanavlasov avatar Jun 25 '25 14:06 yanavlasov

@yanavlasov I interested in working on this feature

AlyHKafoury avatar Aug 25 '25 00:08 AlyHKafoury

@AlyHKafoury are you working on this?

ramaraochavali avatar Nov 03 '25 09:11 ramaraochavali

@ramaraochavali Yes, it is gonna be ready soon.

AlyHKafoury avatar Nov 03 '25 09:11 AlyHKafoury

Thank you :-)

ramaraochavali avatar Nov 03 '25 11:11 ramaraochavali

/assign @AlyHKafoury

agrawroh avatar Nov 04 '25 06:11 agrawroh

@AlyHKafoury cannot be assigned to this issue.

:cat:

Caused by: a https://github.com/envoyproxy/envoy/issues/39930#issuecomment-3484077407 was created by @agrawroh.

see: more, trace.

repokitteh-read-only[bot] avatar Nov 04 '25 06:11 repokitteh-read-only[bot]