New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT Support #3704
Comments
Hello, I am a fourth-year CSE student. I had done GSoC'18 at Public Lab(Ruby on Rails), Google Internship(Android), India and wrote two research papers in NLP(Python). |
@SidharthBansal that sounds fantastic! Why don't you jump into the #contributors channel on slack? We'd love to get to know you! WRT this specific issue, you'll want to write up an RFC. I would recommend spending some time in the codebase and chatting with us first as this is going to have a lot of little pieces of work required. |
Thanks for the link to the slack channel. Can you please tell me how to get started with this issue? I have worked on Multi Authentication systems in GSoC'18 (https://gist.github.com/SidharthBansal/4968cf15675cfc700bc2a8d952489ae0). It was a little similar to JWT I guess. |
Whatever happened to this discussion? Was it dropped? |
@abatilo we'd still love to implement this and could use help if you're up for it =) |
😅 This sounds like it goes way beyond my understanding right now. I came across this issue while doing some research for potentially switching off Istio. I've never even installed/ran linkerd. |
@abatilo we find that most folks want JWT support at the ingress level. As that's supported by many great ingress controllers out there, it might be sufficient for your needs =) |
We are also looking for an alternative to istio as it's very complex to manage istio in production... JWT token parsing and validation at the ingress gateway level is one of the istio features that we rely upon |
@rajivml as Linkerd does not implement ingress at all, I'd recommend checking out Ambassador or Gloo. They both implement JWT parsing and validation and would solve your problem for you. |
We're using |
@halcyondude I think most of the discussion on JWT has been here on this issue. Using |
@grampelberg Hi! Is this still a desired feature and in need of feature collection and implementation? I am looking at either adopting Linkerd and I like Linkerd's core concepts and mission. Am I correct that this would first need an RFC and then some sort of game plan? I would love to spearhead this as I am a big fan of Rust and JWT, and would love for Linkerd to have this feature. |
JWT support would be great, but I think that Linkerd should support custom "plugins" or "filters" which would allow anyone to add such functionality in no time. Adding support for X, Y and Z would potentially be a bad thing for the project because they would have to support all those custom pieces and from the developer's perspective, that would sooner or later become unsustainable. Let the team focus on maintaining and upgrading the core of the project, all the rest should be in the domain of the wider community efforts. |
If it makes sense to create an add-on for this feature, that seems fine to me. I'm new to this thread but I think the original intention was built-in much like how Istio does it, which is agnostic to any particular solution (aside from a JWT in the header) and more focused on the actual step of authentication and authorization. Given that a large majority of Auth providers and Customer Identity and Access Management (CIAM) utilize JWT, I would be hard-pressed to find an alternate solution that would make sense, meaning I'm not sure how many other plugins would really get created and used. @xpepermint if you have a link to getting started on a plugin or filter as mentioned, please provide. I was looking at the add-ons section but I could not find the section that outlines how to make them, and the link to the charts is not working. If we're starting a conversation about some rough features as mentioned by @halcyondude, the basic features are all pretty standard fare for JWT (regardless of whether it is a plugin or built-in):
|
@camsjams don't get me wrong. We are on the same page here and agree that such features are needed. I just want to warn the decision-makers to choose the right path for this story. Extending the project into an all-in-one solution by adding features rather than adding support for extending Linkerd and its proxy, could mean the start of its end or at least a never-ending story for the team. So to prevent such scenarios and keep the development sustainable, I'm proposing a "filters" feature that would basically cover all the possibilities that other providers have (e.g. Envoy). If the feature you need is not there, you would simply build it yourself. Currently, plugins/filters are not supported so I guess adding such a feature should be considered as a priority. |
Maybe this could be addressed by adding proxy-wasm support, there is already an ongoing discussion about hat. Basically, that would add general extensibility to linkerd2 on top of which then JWT (and other) filters could be established. |
I think it would be a great feature if linkerd could provide JWT validation in proxy. I've been using centralised authentication methods like using Ingress, I even made an open-source project out of that idea (micro-auth-request), but the problem is they create a single point of failure. Having it in proxy and scales as service scale would make much more sense. |
Can we control traffic to the pods using ServerAuthorization Policy based on JWT token claims. This will be similar to the AuthorizationPolicy in Istio. |
@krishnakumar797 Not yet. Edge releases now include a new |
Has this been roadmapped for the near future? We are looking at meshes right now and since linkerd does not have this we will likely have to go with istio (and for that reason only :( ). |
We would love to see this prioritized! |
We'd like to have the feature too! |
Could we please get an update on the progress of adding JWT support to Linkerd? I've noticed several discussions about the potential benefits and use cases for this feature, and it seems like a valuable addition to the Linkerd ecosystem. Given the importance of JWT for authentication and authorization in many environments, I believe this feature could enhance Linkerd's adoption. We are in a situation where just because Linkerd doesn’t provide JWT support yet, we need to find other meshes where linkerd could be great fit for us. |
I'd like to add:
|
In order to facilitate authentication and authorization using the same mechanisms which are used in other parts of our ecosystem, it would be great to add JWT support to linkerd. Here are some use cases:
The text was updated successfully, but these errors were encountered: