Describe the feature request
I'd like to use existing JWTs with alg=RS384 or alg=RS512 claims with Istio's end user authentication policies. Currently, the JWT authn filter will reject all JWTs with alg claims outside of ['RS256', 'ES256'].
Describe alternatives you've considered
The only way right now seems to be changing existing applications to use the weaker hash algorithm (SHA256 for RS256), which is not a good option.
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Additional context
I created a PR to the jwt_verify_lib that is used by the upstream Envoy JWT filter. Will file a PR to make the same changes to istio/proxy's JWT filter as well, so we have parity as long as the switchover has not happened yet.
Describe the feature request
I'd like to use existing JWTs with alg=RS384 or alg=RS512 claims with Istio's end user authentication policies. Currently, the JWT authn filter will reject all JWTs with
algclaims outside of['RS256', 'ES256'].Describe alternatives you've considered
The only way right now seems to be changing existing applications to use the weaker hash algorithm (SHA256 for RS256), which is not a good option.
Affected product area (please put an X in all that apply)
[ ] Configuration Infrastructure
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[x] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
Additional context
I created a PR to the jwt_verify_lib that is used by the upstream Envoy JWT filter. Will file a PR to make the same changes to
istio/proxy's JWT filter as well, so we have parity as long as the switchover has not happened yet.