JWT Support

[jcochran-asapp]

In order to facilitate authentication and authorization using the same mechanisms which are used in other parts of our ecosystem, it would be great to add JWT support to linkerd. Here are some use cases:

1. Linkerd is able to accept and verify a JWT with keys from an arbitrary endpoint.
2. Linkerd is able to parse claims in a JWT and drop inbound connections which don't have certain claims.
3. Linkerd is able to pass the parsed & verified JWT along in a header for use in the application it is proxying.

[SidharthBansal]

Hello, I am a fourth-year CSE student. I had done GSoC'18 at Public Lab(Ruby on Rails), Google Internship(Android), India and wrote two research papers in NLP(Python).
I am willing to get mentored for this issue for Community Bridge program. Can you please help me in getting started with it and linkerd?
Thanks

[SidharthBansal]

@grampelberg

[grampelberg]

@SidharthBansal that sounds fantastic! Why don't you jump into the #contributors channel on slack? We'd love to get to know you!

WRT this specific issue, you'll want to write up an RFC. I would recommend spending some time in the codebase and chatting with us first as this is going to have a lot of little pieces of work required.

[SidharthBansal]

Thanks for the link to the slack channel. Can you please tell me how to get started with this issue? I have worked on Multi Authentication systems in GSoC'18 (https://gist.github.com/SidharthBansal/4968cf15675cfc700bc2a8d952489ae0). It was a little similar to JWT I guess.

[abatilo]

Whatever happened to this discussion? Was it dropped?

[grampelberg]

@abatilo we'd still love to implement this and could use help if you're up for it =)

[abatilo]

@abatilo we'd still love to implement this and could use help if you're up for it =)

😅 This sounds like it goes way beyond my understanding right now. I came across this issue while doing some research for potentially switching off Istio. I've never even installed/ran linkerd.

[grampelberg]

@abatilo we find that most folks want JWT support at the ingress level. As that's supported by many great ingress controllers out there, it might be sufficient for your needs =)

[rajivml]

We are also looking for an alternative to istio as it's very complex to manage istio in production... JWT token parsing and validation at the ingress gateway level is one of the istio features that we rely upon

[grampelberg]

@rajivml as Linkerd does not implement ingress at all, I'd recommend checking out Ambassador or Gloo. They both implement JWT parsing and validation and would solve your problem for you.

[halcyondude]

We're using oauth2-proxy combined with nginx-ingress to provide authenticated access to the linkerd 2.8 dashboard (in our case on EKS). Has there been an enumeration of concerns, RFC, or (rough) design re: implementing authorization using JWT? We'll do a bit of source diving to assess, but if there's existing collateral that would be great to start with.

[adleong]

@halcyondude I think most of the discussion on JWT has been here on this issue. Using oauth2-proxy with nginx-ingress to provide authenticated access to Linkerd's dashboard seems like a reasonable solution to me. Is there a shortcoming of that solution?

[camsjams]

@grampelberg Hi!

Is this still a desired feature and in need of feature collection and implementation?

I am looking at either adopting Linkerd and I like Linkerd's core concepts and mission.

Am I correct that this would first need an RFC and then some sort of game plan?

I would love to spearhead this as I am a big fan of Rust and JWT, and would love for Linkerd to have this feature.

[xpepermint]

JWT support would be great, but I think that Linkerd should support custom "plugins" or "filters" which would allow anyone to add such functionality in no time. Adding support for X, Y and Z would potentially be a bad thing for the project because they would have to support all those custom pieces and from the developer's perspective, that would sooner or later become unsustainable. Let the team focus on maintaining and upgrading the core of the project, all the rest should be in the domain of the wider community efforts.

[camsjams]

If it makes sense to create an add-on for this feature, that seems fine to me. I'm new to this thread but I think the original intention was built-in much like how Istio does it, which is agnostic to any particular solution (aside from a JWT in the header) and more focused on the actual step of authentication and authorization. Given that a large majority of Auth providers and Customer Identity and Access Management (CIAM) utilize JWT, I would be hard-pressed to find an alternate solution that would make sense, meaning I'm not sure how many other plugins would really get created and used.

@xpepermint if you have a link to getting started on a plugin or filter as mentioned, please provide. I was looking at the add-ons section but I could not find the section that outlines how to make them, and the link to the charts is not working.

If we're starting a conversation about some rough features as mentioned by @halcyondude, the basic features are all pretty standard fare for JWT (regardless of whether it is a plugin or built-in):

• JWT based authentication
• Configurable audience
• Configurable issuer
• Configurable URL for JSON Web Key Set (JWKS) with configurable cache for JWKS endpoint contents
• Configurable scope/target for a given request or service
• OAuth 2 token based authorization with scope definitions

[xpepermint]

@camsjams don't get me wrong. We are on the same page here and agree that such features are needed. I just want to warn the decision-makers to choose the right path for this story. Extending the project into an all-in-one solution by adding features rather than adding support for extending Linkerd and its proxy, could mean the start of its end or at least a never-ending story for the team. So to prevent such scenarios and keep the development sustainable, I'm proposing a "filters" feature that would basically cover all the possibilities that other providers have (e.g. Envoy). If the feature you need is not there, you would simply build it yourself. Currently, plugins/filters are not supported so I guess adding such a feature should be considered as a priority.

[rustrial]

Maybe this could be addressed by adding proxy-wasm support, there is already an ongoing discussion about hat. Basically, that would add general extensibility to linkerd2 on top of which then JWT (and other) filters could be established.

[abdollahpour]

I think it would be a great feature if linkerd could provide JWT validation in proxy. I've been using centralised authentication methods like using Ingress, I even made an open-source project out of that idea (micro-auth-request), but the problem is they create a single point of failure. Having it in proxy and scales as service scale would make much more sense.

[krishnakumar797]

Can we control traffic to the pods using ServerAuthorization Policy based on JWT token claims. This will be similar to the AuthorizationPolicy in Istio.

[olix0r]

@krishnakumar797 Not yet. Edge releases now include a new AuthorizationPolicy resource that is generic over the type of required authentication, so it will be possible to extend this to, for instance, target a JWTAuthentication type. This feature is not yet scheduled, however.

[brian-provenzano]

Has this been roadmapped for the near future? We are looking at meshes right now and since linkerd does not have this we will likely have to go with istio (and for that reason only :( ).

[blakeromano]

We would love to see this prioritized!

[rye-sw]

We'd like to have the feature too!

[anikjp]

Could we please get an update on the progress of adding JWT support to Linkerd? I've noticed several discussions about the potential benefits and use cases for this feature, and it seems like a valuable addition to the Linkerd ecosystem. Given the importance of JWT for authentication and authorization in many environments, I believe this feature could enhance Linkerd's adoption.

We are in a situation where just because Linkerd doesn’t provide JWT support yet, we need to find other meshes where linkerd could be great fit for us.
If there any road plan for this feature please share us so that we can still think of it.

[whiskeysierra]

If we're starting a conversation about some rough features as mentioned by @halcyondude, the basic features are all pretty standard fare for JWT (regardless of whether it is a plugin or built-in):

* JWT based authentication

* Configurable audience

* Configurable issuer

* Configurable URL for JSON Web Key Set (JWKS) with configurable cache for JWKS endpoint contents

* Configurable scope/target for a given request or service

* OAuth 2 token based authorization with scope definitions

I'd like to add:

• Configurable header names (not just Authorization)
• Multiple JWT authentications (i.e. multiple headers) for the same request