Update envoy to jwt clock_skew change

[qiwzhang]

Signed-off-by: Wayne Zhang qiwzhang@google.com

It is to fix: #369

[google-oss-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: qiwzhang, TAOXUY

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [TAOXUY,qiwzhang]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[qiwzhang]

/retest

[google-oss-robot]

New changes are detected. LGTM label has been removed.

[qiwzhang]

/test ESPv2-presubmit-asan

[qiwzhang]

/test ESPv2-presubmit-asan

[nareddyt]

Hi @qiwzhang, was there a change in upstream envoy that changes this test? Just curious why it changed, it's not obvious.

[qiwzhang]

Yes, it is due to my recently submitted pr envoyproxy/envoy#13839
If a Jwt has "iss" and "iss" doesn't matched the one specified in the provider, it will return JwtUnknownIssuer.
In this PR, JwtUnkownIssuer is treated as JwtMissing.

This is the part I am debating, if the spec wants to verify JWT with "iss1" and allow_missing. But a JWT with "iss2" comes, should we reject it? Is this consider as "missing"?

For now, it is considered as "missing" and it is accepted.

[nareddyt]

I see, that is interesting. JWT requirement config allows both allow_missing and allow_missing_or_failed. Wouldn't the issuer mismatch be a verification failure? Then allow_missing should reject it, but allow_missing_or_failed should pass through.

https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/jwt_authn/v2alpha/config.proto#config-filter-http-jwt-authn-v2alpha-jwtrequirement

[nareddyt]

Well, maybe you could clarify what the term "verification" means in this documentation. Verifying the entire token (including the issuer), or just verifying the signature matches?

[qiwzhang]

We verify signature, "aud" and "iss".