JWT Authentication Filter - How can I know why a JWT failed in a filter following the JWT filter

[Noah Weiss]

Hi All,

 

First of all I would like to express my appreciation to all the contributors to the Envoy project. It truly is an amazing thing!

 

Second, I would like to ask you all a question.

 

I currently use Envoy with some custom http_filters (under the envoy.filters.network.http_connection_manager).

I’m now interested in using the JWT Authentication filter (envoy.filters.http.jwt_authn)  in my “filter pipeline” so that it is before one of my other filters. And I would like for the filter following the JWT filter to be able to know if the JWT was successfully verified, and if not, for what reason did the verification fail.

 

Now I saw that the JWT filter can be configured to defer the decision to later filters instead of rejecting a request with an invalid JWT by using the “allow_missing_or_failed”  requirement. I also saw that I can define the “header_in_metatda” / ”payload_in_metadata” so I can get the successfully verified JWT header/payload in the following filter from inside the StreamInfo DynamicMetadata. This can enable me to determine if the JWT was successfully verified or not. What I’m missing however is the ability to know why a JWT failed verification.

Is there any way I can do this ? If not, then can this ability be added in the future ?

 

Thanks,

 Noah