istio
add requireJwt field in RequestAuthentication
Problem: Istio's RequestAuthentication has hardcoded allowMissing behavior, requiring users to combine it with AuthorizationPolicy to enforce JWT presence. This results in:
- HTTP status 403 Forbidden instead of 401 Unauthorized for missing JWT which could be a requirement.
- Missing WWW-Authenticate header (RFC 7235).
Solution:
- Add bool require_jwt = 15; field to JWTRule message.
- When true: Missing JWT → 401 Unauthorized + WWW-Authenticate: Bearer header from envoy proxy.
- When false (default): Current behavior (JWT optional).
Istio PR will be taken up if this is acceptable.
😊 Welcome @tanujd11! This is either your first contribution to the Istio api repo, or it's been a while since you've been here.
You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines by referring to Contributing to Istio.
Thanks for contributing!
Courtesy of your friendly welcome wagon.
@tanujd11: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| release-notes_api | a6c960ed170a28c00f9b4d30bd24aedcfadc27ac | link | false | /test release-notes |
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.
With that being said is there anything stopping us from adding this as a feature without changing the default behaviour for backwards compatibility as this could be a requirement and it is also a feature in envoy(not exposed by Istio) where no header mean unauthorised(so that authn could be retried) instead of denied which is hardcoded in Istio?