Istio set token claims as header to upstream

I have done istio configuration for JWT security by adding Authentication and Authorization policies. My token gets validated against the JWKS URI successfully and authorization rules restrict the endpoints accordingly.

What I am looking for is, if there is a way to parse the JWT claims after Authentication/Authorization and append them as headers to upstream requests?

Here is the Authentication config to which I am also adding token-data as header -

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "jwt-auth"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "example.com"
    jwksUri: "http://my-service-endpoint/.well-known/jwks.json"
    outputPayloadToHeader: "token-data"

Authorization Policy config is like -

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "jwt-auth"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:
        paths: ["/login", "/.well-known/jwks.json"]

As per the istio discussion I came across a custom CRD named Rule which allows headerOperations manipulation but I am not able to use it because this Custom Resource does not exist.

apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: auth-headers
spec:
  request_header_operations:
  - name: X-username
    values:
    - request.auth.claims["username"]

The only CRD’s for Istio I have with default profile are -

kubectl get -n istio-system crd
NAME                                       CREATED AT
authorizationpolicies.security.istio.io    2022-07-10T07:55:01Z
destinationrules.networking.istio.io       2022-07-10T07:55:01Z
envoyfilters.networking.istio.io           2022-07-10T07:55:01Z
gateways.networking.istio.io               2022-07-10T07:55:01Z
istiooperators.install.istio.io            2022-07-10T07:54:37Z
peerauthentications.security.istio.io      2022-07-10T07:55:01Z
proxyconfigs.networking.istio.io           2022-07-10T07:55:01Z
requestauthentications.security.istio.io   2022-07-10T07:55:01Z
serviceentries.networking.istio.io         2022-07-10T07:55:02Z
sidecars.networking.istio.io               2022-07-10T07:55:02Z
telemetries.telemetry.istio.io             2022-07-10T07:55:02Z
virtualservices.networking.istio.io        2022-07-10T07:55:02Z
wasmplugins.extensions.istio.io            2022-07-10T07:55:02Z
workloadentries.networking.istio.io        2022-07-10T07:55:02Z
workloadgroups.networking.istio.io         2022-07-10T07:55:02Z

Also, I am not able to create a Rule CRD.
I would like to understand what I am missing here? Is there any other way to do this?

I verified for global.disablePolicyChecks=true|false but this property does not exist.

Currently we don’t support adding jwt-filter to header via our reqAuth API. It’s still in plan and our team is working on this. As an alternative for now there are several ways to fulfill this requirement -

  1. Envoy Lua Filter- I think you have already used it
  2. You can add header via virtual service as well -
    The following is an example virtual service for copying the “group” claim to the “x-istio-jwt-group” header:
kind: VirtualService
metadata:
  name: reviews-route
spec:
  hosts:
  - reviews.prod.svc.cluster.local
  http:
  - headers:
      request:
        set:
          # Copy the group claim to the x-istio-jwt-group header
          x-istio-jwt-group:
            '%DYNAMIC_METADATA(["istio_authn", "request.auth.claims", "group"])%'
  1. WASM Filter - proxy/extensions/jwt_header at jwt_header_19 · mandarjog/proxy · GitHub

But there are few limitations in these solution, based on my understanding the approach with Lua filter one is most used solution as of now. We will be adding a permanent fix for this request in our ReqAuth api to support this feature soon.