jwt_provider_key configuration

Envoy can support multiple JWT providers concurrently and thus it can be useful to limit the Envoy Adapter to the specific one you wish to evaluate. (Without a limit, the Envoy Adapter will loop over all verified JWTs.)

Since Envoy Adapter v1.3.0, the jwt_provider_key option is available to select a specific JWT provider for Apigee authorization.

For native Envoy, the value for jwt_provider_key can simply match an arbitrary name from payload_in_metadata value in the jwt_authn filter. For example, here we have simply used apigee:

          - name: envoy.filters.http.jwt_authn
            typed_config: 
              "@type": type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication
              providers:
                sample:
                  issuer: https://org-env.apigee.net/remote-token/token
                  remote_jwks:
                    http_uri:
                      uri: https://org-env.apigee.net/remote-token/certs
                      cluster: apigee-auth-service
                  payload_in_metadata: apigee

For Istio, the RequestAuthentication CR is used to configure Envoy's jwt_authn filter. Istio automatically assigns the value of the issuer in the JWTRule as the payload_in_metadata name. In the following example, we would use https://org-env.apigee.net/remote-token as the jwt_provider_key:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: apigee
  namespace: default
spec:
  selector:
    matchLabels:
      managed-by: apigee
  jwtRules:
  - issuer: https://org-env.apigee.net/remote-token/token
    jwksUri: https://org-env.apigee.net/remote-token/certs

Note: To make the behavior consistent across Istio and native Envoy, our samples create command always use the /token endpoint URL in our generated Envoy configuration.