Simple gRPC service that implements Envoy's External Authorization Filter.
Envoy JWT Auth Helper needs to be configured as an External Authorization filter for Envoy. Then, for every HTTP request sent to the Envoy forward proxy, it obtains a JWT-SVID from the SPIRE Agent and inject it as a new request header. Finally the request is sent back to Envoy. On the other side, when the HTTP request arrives at the reverse proxy, the Envoy External Authorization module send the request to the Envoy JWT Auth Helper which extracts the JWT-SVID from the header and connect to the SPIRE Agent to perform the validation. Once validated, the request is sent back to Envoy. If validation fails the request is denied.
This simple authentication server supports 2 modes:
Connects to the SPIRE Agent to fetch a JWT-SVID which then is injected it into the request as a new header.
Extracts the added header from the request and connects to the SPIRE Agent to validate it.
go build./envoy-jwt-auth-helper -config envoy-jwt-auth-helper.confsocket_path = "unix:///tmp/agent.sock"
host = "127.0.0.1"
port = 9010
jwt_mode = "jwt_svid_validator"
audience = "spiffe://example.org/myservice"
Include an External Authorization Filter in the Envoy configuration that connects to the service. This is accomplish by adding a new HTTP filter:
http_filters:
- name: envoy.ext_authz
config:
grpc_service:
envoy_grpc:
cluster_name: ext-authz
timeout: 0.5sAnd the corresponding cluster:
- name: ext-authz
connect_timeout: 1s
type: strict_dns
http2_protocol_options: {}
hosts:
- socket_address:
address: 127.0.0.1
port_value: 9010Note that the cluster is configured to talk to 127.0.0.1:9010, the host and port set on the configuration example.