Sync APIs. @tag-name=gloo-v1.19.0-beta13

api/gloo/enterprise.gloo/v1/auth_config.proto

@@ -1484,6 +1484,8 @@ message RetryPolicy {
 }
 
 // Authorizes requests by querying a custom extauth grpc server
+// To send the request body to the ext-auth service, the settings.extauth.requestBody must be set in the Gloo Edge Settings CRD so that
+// the request body is buffered and sent.
 // Assumes that the server implements the envoy external authorization spec:
 // https://github.com/envoyproxy/envoy/blob/ae1ed1fa74f096dabe8dd5b19fc70333621b0309/api/envoy/service/auth/v3/external_auth.proto#L29
 message PassThroughGrpc {

api/gloo/gloo/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -212,6 +212,21 @@ message JwtProvider {
   // Specify the clock skew in seconds when verifying JWT time constraint,
   // such as `exp`, and `nbf`. If not specified, default is 60 seconds.
   uint32 clock_skew_seconds = 10;
+
+  // If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
+  // in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
+  // The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
+  // and they will contain the JWT authentication failure status code and a message describing the failure.
+  //
+  // For example, if failed_status_in_metadata is ``my_auth_failure_status``:
+  //
+  // .. code-block:: yaml
+  //
+  //   envoy.filters.http.jwt_authn:
+  //     my_auth_failure_status:
+  //       code: 3
+  //       message: Jwt expired
+  string failed_status_in_metadata = 11;
 }
 
 // This message specifies how to fetch JWKS from remote and how to cache it.

api/gloo/gloo/v1/enterprise/options/jwt/jwt.proto

@@ -100,6 +100,14 @@ message Provider {
 
     // Optional: ClockSkewSeconds is used to verify time constraints, such as `exp` and `npf`. Default is 60s
     google.protobuf.UInt32Value clock_skew_seconds = 8;
+
+    // Optional: When this field is set, the specified value is used as the key in DynamicMetadata to store the JWT failure status code and message under that key. If the value is empty (i.e., ""), it is ignored.
+    // This field is particularly useful when logging the failure status.
+    //
+    // For example, if the value of `attach_failed_status_to_metadata` is 'custom_auth_failure_status' then
+    // the failure status can be accessed in the access log as '%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status)'
+    // Note: status code and message can be individually accessed as '%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.code)' and '%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status.message)' respectively.
+    string attach_failed_status_to_metadata = 9;
 }
 
 message Jwks {

api/gloo/gloo/v1/options/als/als.proto

@@ -63,6 +63,10 @@ message GrpcService {
     repeated string additional_response_headers_to_log = 5;
 
     repeated string additional_response_trailers_to_log = 6;
+
+    // Additional filter state objects to log in filter_state_objects. Logger will call FilterState::Object::serializeAsProto to serialize the filter state object.
+    // See https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#extensions-access-loggers-grpc-v3-commongrpcaccesslogconfig
+    repeated string filter_state_objects_to_log = 7;
 }
 
 message AccessLogFilter {