diff --git a/envoy/COMMIT b/envoy/COMMIT index 05cea006d..7e9553a07 100644 --- a/envoy/COMMIT +++ b/envoy/COMMIT @@ -1 +1 @@ -5d9428ca50418ac99d359128c8bb6cf8f703db92 +9d9569037798db45a1fa2454e31726053ae1e268 diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go index 4174d6739..951965f60 100755 --- a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go +++ b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.go @@ -588,6 +588,7 @@ func (x *JwtCacheConfig) GetJwtCacheSize() uint32 { } // This message specifies how to fetch JWKS from remote and how to cache it. +// [#next-free-field: 6] type RemoteJwks struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache @@ -647,6 +648,22 @@ type RemoteJwks struct { // // If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background. RetryPolicy *v31.RetryPolicy `protobuf:"bytes,4,opt,name=retry_policy,json=retryPolicy,proto3" json:"retry_policy,omitempty"` + // Refetch JWKS if extracted JWT has no KID or a KID that does not match any cached JWKS's KID. + // + // In envoy, if :ref:`async JWKS fetching ` + // + // is enabled along with this field, then KID mismatch will trigger a new async fetch after appropriate backoff delay. + // + // If async fetching is disabled, new JWKS is fetched on demand and the cache is isolated to the fetched worker thread. + // + // There is exponential backoff built into this retrieval system for two cases to avoid DoS on JWKS Server: + // + // - If there is a request containing a JWT with no KID, a new fetch will be made for this request. Upon retrieval, + // a backoff will be triggered. + // - If there is a fetch due to KID mismatch, which results in a failed fetch or verification, a backoff will be triggered. + // + // During a backoff, no further fetches will be made due to KID mismatch. + RefetchJwksOnKidMismatch bool `protobuf:"varint,5,opt,name=refetch_jwks_on_kid_mismatch,json=refetchJwksOnKidMismatch,proto3" json:"refetch_jwks_on_kid_mismatch,omitempty"` } func (x *RemoteJwks) Reset() { @@ -709,6 +726,13 @@ func (x *RemoteJwks) GetRetryPolicy() *v31.RetryPolicy { return nil } +func (x *RemoteJwks) GetRefetchJwksOnKidMismatch() bool { + if x != nil { + return x.RefetchJwksOnKidMismatch + } + return false +} + // Fetch Jwks asynchronously in the main thread when the filter config is parsed. // The listener is activated only after the Jwks is fetched. // When the Jwks is expired in the cache, it is fetched again in the main thread. @@ -1917,7 +1941,7 @@ var file_envoy_extensions_filters_http_jwt_authn_v3_config_proto_rawDesc = []byt 0x72, 0x12, 0x03, 0xf8, 0x42, 0x01, 0x22, 0x36, 0x0a, 0x0e, 0x4a, 0x77, 0x74, 0x43, 0x61, 0x63, 0x68, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0e, 0x6a, 0x77, 0x74, 0x5f, 0x63, 0x61, 0x63, 0x68, 0x65, 0x5f, 0x73, 0x69, 0x7a, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, - 0x52, 0x0c, 0x6a, 0x77, 0x74, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x22, 0x89, + 0x52, 0x0c, 0x6a, 0x77, 0x74, 0x43, 0x61, 0x63, 0x68, 0x65, 0x53, 0x69, 0x7a, 0x65, 0x22, 0xc9, 0x03, 0x0a, 0x0a, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x4a, 0x77, 0x6b, 0x73, 0x12, 0x42, 0x0a, 0x08, 0x68, 0x74, 0x74, 0x70, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, @@ -1938,7 +1962,11 @@ var file_envoy_extensions_filters_http_jwt_authn_v3_config_proto_rawDesc = []byt 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x33, 0x2e, 0x52, 0x65, 0x74, 0x72, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x52, - 0x0b, 0x72, 0x65, 0x74, 0x72, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x3a, 0x3c, 0x9a, 0xc5, + 0x0b, 0x72, 0x65, 0x74, 0x72, 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x3e, 0x0a, 0x1c, + 0x72, 0x65, 0x66, 0x65, 0x74, 0x63, 0x68, 0x5f, 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x6f, 0x6e, 0x5f, + 0x6b, 0x69, 0x64, 0x5f, 0x6d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x05, 0x20, 0x01, + 0x28, 0x08, 0x52, 0x18, 0x72, 0x65, 0x66, 0x65, 0x74, 0x63, 0x68, 0x4a, 0x77, 0x6b, 0x73, 0x4f, + 0x6e, 0x4b, 0x69, 0x64, 0x4d, 0x69, 0x73, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x3a, 0x3c, 0x9a, 0xc5, 0x88, 0x1e, 0x37, 0x0a, 0x35, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x2e, 0x68, 0x74, 0x74, 0x70, 0x2e, 0x6a, 0x77, 0x74, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x6e, 0x2e, 0x76, 0x32, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x2e, diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go index 63b67162a..d6c19e4e9 100755 --- a/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go +++ b/envoy/extensions/filters/http/jwt_authn/v3/config.pb.validate.go @@ -703,6 +703,8 @@ func (m *RemoteJwks) validate(all bool) error { } } + // no validation rules for RefetchJwksOnKidMismatch + if len(errors) > 0 { return RemoteJwksMultiError(errors) } diff --git a/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go b/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go index cdb61288e..86f990249 100755 --- a/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go +++ b/envoy/extensions/filters/http/jwt_authn/v3/config_vtproto.pb.go @@ -431,6 +431,16 @@ func (m *RemoteJwks) MarshalToSizedBufferVTStrict(dAtA []byte) (int, error) { i -= len(m.unknownFields) copy(dAtA[i:], m.unknownFields) } + if m.RefetchJwksOnKidMismatch { + i-- + if m.RefetchJwksOnKidMismatch { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i-- + dAtA[i] = 0x28 + } if m.RetryPolicy != nil { if vtmsg, ok := interface{}(m.RetryPolicy).(interface { MarshalToSizedBufferVTStrict([]byte) (int, error) @@ -1550,6 +1560,9 @@ func (m *RemoteJwks) SizeVT() (n int) { } n += 1 + l + protohelpers.SizeOfVarint(uint64(l)) } + if m.RefetchJwksOnKidMismatch { + n += 2 + } n += len(m.unknownFields) return n }