Extend OAuth2 `GatewayExtension` with JWT/OIDC token parsing

[marvin-roesch]

kgateway version

v2.2.0-rc.2

Is your feature request related to a problem? Please describe.

The OAuth2 integration allows for authentication from a Gateway, but authorization is another matter. The JWT token returned from an OIDC-compliant issuer is opaque to the gateway and backends would need to perform any authorization based on it. It is not available to the CEL expressions in the rbac section for a TrafficPolicy. Furthermore, claims such as the username are not available for e.g. access logging.

Describe the solution you'd like

kgateway should (optionally) add an additional jwt_authn filter to the Envoy configuration that decodes the token returned by the OAuth2 token exchange and make the data available as metadata. This would allow RBAC rules to later on read that information.

Describe alternatives you've considered

Potentially this could be done by additionally configuring JWT auth and extracting interesting claims into headers which could then be consumed further down the filter chain. I've not had luck with that, however, potentially due to how data flows through Envoy or maybe filter ordering.

Additional Context

There is an example of how to do to this with existing Envoy filters at envoyproxy/envoy#14153 (comment).