Skip to content
This repository was archived by the owner on Jul 16, 2025. It is now read-only.
This repository was archived by the owner on Jul 16, 2025. It is now read-only.

Cannot Extract JWT Claims with Dotted Keys (kubernetes.io) in Istio #104

Description

@Bredervik

I have Kubernetes-managed service account tokens, and I would like to extract some values from the JWT payload using Istio's outputClaimToHeaders feature.

The problem arises when trying to extract a claim with a dotted key (.) in its name, such as kubernetes.io.namespace. The token structure looks like this:
{
"kubernetes.io": {
"namespace": "a-namespace"
}
}

When attempting to extract the namespace field using Istio's outputClaimToHeaders, the header is not set, and Istio does not correctly retrieve the value.

Steps to reproduce:

  1. Deploy an Istio RequestAuthentication policy with the following configuration:
    `apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
    name: jwt-auth
    namespace: istio-system
    spec:
    jwtRules:

    • issuer:
      jwksUri:
      fromHeaders:
      • name: Authorization
        prefix: "Bearer "
        outputClaimToHeaders:
      • header: istio-original-namespace
        claim: kubernetes.io.namespace`
      • header: iss-header-check
        claim: iss
  2. Send a request with a valid JWT that contains kubernetes.io.namespace.

  3. Check the headers in the downstream application

  4. Observe that istio-original-namespace is missing, while other claims (e.g., iss) are correctly extracted

Some proposed fixes

  • Support escaping dots in claims (e.g., kubernetes\.io.namespace).
  • Allow bracket notation for nested keys (e.g., ["kubernetes.io"]["namespace"]).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions