Regarding Decoding and Manipulating JWT Tokens

Hi all,

Just wondering if there’s any established way to decode a JWT token with every requests received by Ingress Gateway?

We would like to read the JWT token, decode it, and replace it with some of the entries that is of use to us (i.e. zid, scope), and add those fields as plain text into the headers of the requests dispatched to services within the mesh.

I bumped into [Question] Decode JWT and put "sub" into a request header, but from what I understand, only certain limited fields can be extracted by this way. (?)

I also read https://github.com/istio/istio/issues/8444, but the syntax provided (specifically https://github.com/BarDweller/istio-content-based-routing/blob/1a42d1029e99e64084e30117cbf744a7dac51906/istio-envoy-filter-jwt-lua.yaml) looks very different from the EnvoyFilter type as listed on the official doc (https://istio.io/docs/reference/config/networking/envoy-filter/). I tried to rewrite it into the standard by the official doc, but it doesn’t seem to do anything after being applied to the cluster.

Thank you in advance.

We are looking for a similar solution. Seem like the Authorization filter already has the ability to decode the jwt and extract the custom entries using the authn filter in envoy.

@ovd-capturi is right, authn filter decodes the jwt and sets it in to the dynamic metadata.

I have been able to achieve that by combining the authn filter and the lua filter