envoyproxy
Consider supporting `localJWKS` for JWT Authentication
Description:
Currently, you can use a SecurityPolicy to configure JWT authentication by configuring the remoteJWKS field of the JWTProvider.
There may be cases where a remote JWKS endpoint may not exist or may not be directly reachable.
Envoy itself seems to support the configuration of a local_jwks attribute as an inline string or by referencing a file. I think Envoy Gateway should support this, too; either directly as an attribute of type string or by referencing a ConfigMap.
(I don't personally need this feature at the moment, but since Envoy supports this use-case, I think it makes sense to post this as a feature request.)
+1 for this feature. If you're maintaining your own JWT PKI, it might not be convenient to have the JWKS hosted over HTTP. There can also be issues with firewalls in restrictive environments.
When previously using Istio ingress, my provisioning scripts generated the private key, JWKS, and some JWTs for admins, and built Istio's equivalent to SecurityPolicy with the JWKS in-line. It'd be great to enable that workflow in EG too.
+1
I have issue with Jwks async fetching failed over HTTPS. It should be great define JWKS over ConfigMap or some other local way.
cc @sgargan, the API could look like DirectResponse which provides the ability to specify a Inline value for a ValueRef (only ConfigMap is supported)
This issue has been automatically marked as stale because it has not had activity in the last 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
+1 I have a ton of JWKS providers for a bunch of endpoints and I think the pure volume gets rate limited by our auth provider. Haven't found a workaround for that, being able to DL them locally would be great
