Skip to content

Add require_expiration field to JWTRule#3728

Open
laiwaikin wants to merge 1 commit into
istio:masterfrom
laiwaikin:jwtrule-require-expiration
Open

Add require_expiration field to JWTRule#3728
laiwaikin wants to merge 1 commit into
istio:masterfrom
laiwaikin:jwtrule-require-expiration

Conversation

@laiwaikin

@laiwaikin laiwaikin commented Jun 19, 2026

Copy link
Copy Markdown

What this PR does

Adds a new requireExpiration boolean field to RequestAuthentication's JWTRule (under spec.jwtRules).

When set to true, a JWT that does not carry an expiration (exp) claim is rejected. This enforces that every accepted token is short-lived and will eventually expire — a recommended posture for zero-trust deployments that rely on token expiration rather than revocation (e.g. SPIFFE JWT-SVID expiration restrictions).

This simply surfaces Envoy's existing jwt_authn require_expiration option through the Istio API. Today operators can only enable it via a brittle, low-level EnvoyFilter; this makes it a first-class, declarative field. The default value is false, which preserves the current behavior (a JWT without an exp claim is accepted and treated as non-expiring), so the change is fully backward compatible.

Notes

  • Only request_authentication.proto is hand-edited; the .pb.go, .pb.html, and customresourcedefinitions.gen.yaml changes are generated via make gen.
  • I'm willing to implement the full feature. This API PR is step 1; the istiod wiring (JwtProvider.require_expiration) plus tests will follow in istio/istio once this lands. Happy to bring it to the security working group if needed.

Part of istio/istio#59200

@laiwaikin
Add require_expiration field to JWTRule
a1bc551 
Expose Envoy's jwt_authn require_expiration option in
RequestAuthentication's JWTRule, allowing operators to reject JWTs that
lack an exp claim without resorting to EnvoyFilter.

Part of istio/istio#59200

Signed-off-by: Ted Li <ted@vip.qq.com>
@laiwaikin laiwaikin requested a review from a team as a code owner June 19, 2026 03:18
@istio-policy-bot

istio-policy-bot commented Jun 19, 2026

Copy link
Copy Markdown

😊 Welcome @laiwaikin! This is either your first contribution to the Istio api repo, or it's been
a while since you've been here.

You can learn more about the Istio working groups, Code of Conduct, and contribution guidelines
by referring to Contributing to Istio.

Thanks for contributing!

Courtesy of your friendly welcome wagon.

@linux-foundation-easycla

linux-foundation-easycla Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: laiwaikin / name: Ted Li (a1bc551)

@istio-testing istio-testing added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jun 19, 2026
@istio-testing

istio-testing commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

Hi @laiwaikin. Thanks for your PR.

I'm waiting for a istio member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ok-to-test size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@laiwaikin @istio-policy-bot @istio-testing