Rate-limiting by JWT token

[gid-fieldcode]

In our first steps with Envoy Gateway we have installed it with Helm on Kubernetes in AWS, we have set up a few HTTPRoutes, we have integrated with Keycloak for authentication and we have enabled rate-limiting at a PoC level. This community has provided considerable help already and for that we are grateful.

In our platform we want to rate-limit not by headers (that can be spoofed) but by the contents of the submitted token that was received from Keycloak.

We have confirmed that the token contains data such as the email address of the account. How can we set up rate-limiting based on such values? In the docs there is a very brief reference to this matter, with a security provider that is configured to expose JWT claims in the form of HTTP headers, is that necessary? Can we not directly refer to the "email" claim inside the token when we define our BackendTrafficPolicy?

[arkodg]

I dont think the headers can be spoofed, they should get overwritten by the jwt filter
It does add an additional request header into the request which may not be ideal for some, and you could delete that header after its been used for ratelimiting using the RequestHeaderModifier filter https://gateway.envoyproxy.io/docs/tasks/traffic/http-request-headers/#removing-request-headers

Using SeurityPolicy's Jwt claimToHeader feature + the Distinct type in Global Ratelimit https://gateway.envoyproxy.io/docs/tasks/traffic/global-rate-limit/#rate-limit-distinct-users should solve your use case

We could enhance the Global RateLimit to treat claim as a first class clientSelector, but will take some time for that feature to land.
cc @zhaohuabing

[gid-fieldcode]

OK we have progress, we have defined a SecurityPolicy with a URI that returns a certificate for verification, and we are also exposing one of the claims as a header, so that's great.

Our next issue is that the URI for verification must contain a server name that is variable, like variable_param.company.com/auth/realms/variable_param/certs
We have used the REQ(Host) trick to extract the entire variable_param.company.com, however we also need the server name variable_param by itself for the path that follows. Is Lua the only way? Can I find an example anywhere on how to integrate a Lua script here?

[zirain]

EnvoyExtensionPolicy support wasm, that's another option.

[arkodg]

@gid-fieldcode can you elaborate a little more on how you are getting cert details ? is this mTLS with client ?

[gid-fieldcode]

@arkodg The connection from the client to the network load balancer that is provisioned by EG is over HTTPS. From the NLB to the backend it's HTTP. I hope this answers your question.

In any case we were forced to develop a little service that receives the request and returns the certificate properly. So now the JWT claim is exposed as a header, to be used for rate-limiting.

The problem we have now is that, with a rate limit of 3 per minute, Envoy allows (in all tests so far) 6 requests per minute. According to the output, the "x-ratelimit-remaining" value is not decremented with every single accepted request. I also don't know how the x-ratelimit-reset mechanism works.

I just ran a test that started at 1 second past, and finished at 42 seconds past, with 50 requests, and 6 were accepted.

[arkodg]

are you looking for something like this ? #4267 (comment)
its only available in v0.0.0-latest