Impl: JWT claim authorization

[zhaohuabing]

Implementation for: #4009
Related issue: #3367

This PR also changes the default value ofPayloadInMetada of the JWT filter from JwtProvider.Issuer to JwtProvider.Name as JwtProvider.Issuer is optional and we need the metadata in the authorization.

[codecov]

Codecov Report

Attention: Patch coverage is 90.40000% with 24 lines in your changes missing coverage. Please review.

Project coverage is 65.85%. Comparing base (91bea68) to head (662c190).

Files with missing lines	Patch %	Lines
internal/xds/translator/authorization.go	90.20%	13 Missing and 11 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4167      +/-   ##
==========================================
+ Coverage   65.64%   65.85%   +0.20%     
==========================================
  Files         197      197              
  Lines       23555    23752     +197     
==========================================
+ Hits        15462    15641     +179     
- Misses       6982     6992      +10     
- Partials     1111     1119       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zetaab]

one nit, but I am also thinking that which JWT this is now going to use? There is use-case for both access_token and id_token. Is there way to specify which one it should use?

[zhaohuabing]

one nit, but I am also thinking that which JWT this is now going to use? There is use-case for both access_token and id_token. Is there way to specify which one it should use?

It's up to you. A JWT provider must be defined in the JWT configuration within the same SecurityPolicy.

If we want to use the ID Token retreived from the OIDC, we need to modify the OAuth2 filter to allow it to add the ID Token in the headers.

[zetaab]

I can get this working with idtoken by following configuration (it verifies sub AND that I have some single group that is needed... just for testing)

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: demo-api-jwt
  namespace: demo
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: demo-api
  jwt:
    providers:
    - name: cognito
      extractFrom:
        cookies:
        - IdToken
      claimToHeaders:
      - claim: sub
        header: x-sub
      - claim: custom:jobtitle
        header: x-jobtitle
      - claim: custom:department
        header: x-department
      - claim: email
        header: x-email
      - claim: cognito:groups
        header: x-groups
      - claim: name
        header: x-name
      remoteJWKS:
        uri: https://cognito-idp.eu-central-1.amazonaws.com/xxx/.well-known/jwks.json
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        jwt:
          provider: cognito
          claims:
          - name: sub
            values: [ca28333f-177f-4b7a-90c3-snip]
          - name: cognito:groups
            valueType: StringArray
            values: [AAD_FOOBAR]

great job @zhaohuabing

[zhaohuabing]

I can get this working with idtoken by following configuration (it verifies sub AND that I have some single group that is needed... just for testing)
@zetaab Thanks for verifying it!

[zetaab]

@arkodg do you have idea who could get progress in this PR? its waiting for review

[arkodg]

can we do without this or is this needed ?

[zhaohuabing]

It's needed because the JWT auth filter stores the extracted JWT claims under its namespace, and we need this to correlate the JWT principal with the JWT claims in the metadata.

Metadata example:

   envoy.filters.http.jwt_authn:
      jwt_provider_name:
         scopes: "read write"
         name: "John"
         sub: "John"