initialize JWT GEP

[brianehlert]

What type of PR is this?
/kind gep

What this PR does / why we need it:
This is the introduce the JWT Policy concept into Gateway API

Which issue(s) this PR fixes:
Fixes 2198

Does this PR introduce a user-facing change?:

NONE

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: brianehlert
Once this PR has been reviewed and has the lgtm label, please assign robscott for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• geps/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @brianehlert. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[robscott]

Thanks @brianehlert!

/ok-to-test

[frankbu]

In addition to allowing the request to proceed, Istio provides access to the evaluated token in route rules, so that users can also do things like weighted routing based on the claims. See https://istio.io/latest/docs/tasks/security/authentication/jwt-route/

[brianehlert]

I have historically considered this a claims match modifier (Policy) on a path/route.
First the path/route must match, then the claim is tested for allow (or the request is blocked)
I am assuming the same implementation.
This is where I see the authorization Policy serving the function of defining the allow claim(s) match.

[brianehlert]

I do like the pattern with:

outputClaimToHeaders:
- header: "x-jwt-claim-foo"
  claim: "foo"

What I am thinking about is if there is a way to have the independent of the jwksUri, so that it stands alone as a transformation action pattern that could be used for both OIDC and JWT. Since both can require the same claim-to-header, but both don't require the jwksUri.
Or the pattern is simply repeated when the OIDC Policy comes...

[youngnick]

Once #2689 merges, this will need a rebase and update - the GEP files have moved.

[shaneutt]

@brianehlert this can be rebased now as per the GEP move we did a couple months back. Let us know if you run into any trouble.

[costinm]

Not sure why it's focused on encrypted JWTs - they are quite rare. Maybe focus on the common case, and have a separate doc or section for the less common ?

[costinm]

Important use: a different token signed by the gateway is forwarded to backends ( to prevent backends from accessing the original JWT which may have escalation risks). That's sometimes called 'mint'

[costinm]

I think it would be ideal to decouple JWT validation - as in 'is signature correct' ( same as mTLS handshake checks ) and the authorization parts ( which claims, paths, etc need to be matched to authorize the user ).

For the later - it is best to have authorization decisions independent of the authn, and not mix it here.

[costinm]

Not sure why name/realm would be required. Log messages are important but not that important.

Issuer field is probably more useful as a key.

For jwksURI - it should be mentioned 'if missing, implementation should fetch using OIDC'. And perhaps have a way to specify the public keys directly.

Not sure if keyCache is that important ( implementation detail ), and 'token' is a very bad name ( it usually means a secret ). If you mean the 'header' or 'parameter' - better be explicit.

[costinm]

I think claim match is already in the realm of authorization.

It doesn't scale and doesn't work well in practice to have 'name=user1' ... or name=user100' in policies that specify which issuers to trust.

And there are many other authn methods ( access tokens with Oauth, client certs, user:password, apikeys ) that result in 'claims' associated with a principal. We shouldn't have a duplicated or divergent authorization depending on how a user may choose or be able to authenticate.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

• Mark this PR as fresh with /remove-lifecycle stale
• Close this PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale