Cannot Extract JWT Claims with Dotted Keys (kubernetes.io) in Istio #104
Description
I have Kubernetes-managed service account tokens, and I would like to extract some values from the JWT payload using Istio's outputClaimToHeaders feature.
The problem arises when trying to extract a claim with a dotted key (.) in its name, such as kubernetes.io.namespace. The token structure looks like this:
{
"kubernetes.io": {
"namespace": "a-namespace"
}
}
When attempting to extract the namespace field using Istio's outputClaimToHeaders, the header is not set, and Istio does not correctly retrieve the value.
Steps to reproduce:
-
Deploy an Istio RequestAuthentication policy with the following configuration:
`apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: istio-system
spec:
jwtRules:- issuer:
jwksUri:
fromHeaders:- name: Authorization
prefix: "Bearer "
outputClaimToHeaders: - header: istio-original-namespace
claim: kubernetes.io.namespace` - header: iss-header-check
claim: iss
- name: Authorization
- issuer:
-
Send a request with a valid JWT that contains kubernetes.io.namespace.
-
Check the headers in the downstream application
-
Observe that istio-original-namespace is missing, while other claims (e.g., iss) are correctly extracted
Some proposed fixes
- Support escaping dots in claims (e.g., kubernetes\.io.namespace).
- Allow bracket notation for nested keys (e.g., ["kubernetes.io"]["namespace"]).