envoyproxy
Support audiences from secret in JWTProvider
Description:
Right now when using the JWTProvider in the SecuityPolicy custom resource, the audiences need to be added as a string array directly into the spec. Ideally, I would like to use a value from a Kubernetes secret to get the allowed audience. This will give a unified way to enforce OIDCProvider / JWTProvider in the security policy. OIDCProvider allows Client Id and Client Secret to come from secret. The same Client Id is normally used as the value for allowed audience so same secret can be referenced. An admin can make this secret ahead of time in user's namespace, and it can be used for OIDC + JWT validation without the user needing to pull the client id value to use in audience for their JWT section.
[optional Relevant Links:]
https://gateway.envoyproxy.io/docs/api/extension_types/#jwtprovider
It might be convenient to reuse the same secret for both the OIDC client id and JWT audience, but audience isn't confidential in the context of the JWT auth, so modeling it as a secret doesn't seem semantically right.
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}