jwtValidation and forwardTokenField filters

[abinet]

The filter extracts Authorization Bearer token, validates using public keys of Authorization server and stores info into same map as oauthOidcUserInfo does. So we can use oidcClaimsQuery for filtering based on claims extracted from the token.

Filter parameters are:

jwtValidation(authorization_provider_url, claims, upstream_headers)
Here is the example of usage:

zalando.org/skipper-filter: jwtValidation("https://login.microsoftonline.com/<tenant_id>/v2.0/",
"sub", "X-Remote-User:sub") -> oidcClaimsQuery("/:groups.#[=="group-a"]","/:groups.#[=="group-b"]")

#1810

[aryszka]

I like the name jwtValidation because it's simple, but it may not fit well with the existing conventions of the authnz filters. What are the thoughts of others on this?

[szuecs]

I think naming us fine, but only reading the pr message, I think we miss an auto refresh of JKS. Keys (public keys). See tokenintrospection filters for issuer well known configuration integration.

[abinet]

I suppose to have resolved all the issues mentioned by review. @szuecs @AlexanderYastrebov can you have a look once you get time please.

[szuecs]

Other than the godoc is fine to merge IMO.
We could make the critical sections even smaller in registerKeyFunction(). We could split it into 2 there, because we only need to guard the map access.
If you want to go further you could also change the Mutex to RWMutex and use RLock() and Lock(), because we rarely use the write lock to update the map and we read much more often (every request), but that's optimization which we might not need.

[AlexanderYastrebov]

@abinet Please update PR description to match the implementation (you may squash commits and write a detailed commit message that could be used as PR description)

[szuecs]

please rebase to master as we merged the fix for master, thanks

[szuecs]

The last missing piece IMO is #1811 (comment).
To be more clear, I would like to have it like this:

func registerKeyFunction(url string) (err error) {
	m.RLock()
	if _, ok := jwksMap[url]; ok {
		m.Unlock()
		return nil
	}
	m.Unlock()
....
	jwks, err := keyfunc.Get(url, options)
	if err != nil {
		return fmt.Errorf("failed to get the JWKs from the given URL %s Error:%w", url, err)
	}
	m.Lock()
	jwksMap[url] = jwks
	m.Unlock()
	return nil
}

I want to have it because keyfunc.Get( can take long blocking all Requests with the write lock.
And we have now only small critical sections, of course we needed to write a bit more lines, but this is fine.

[szuecs]

👍

[aryszka]

👍

[szuecs]

👍

[szuecs]

@abinet Thanks great work!