Sync APIs. @tag-name=gloo-attach-jwt-failure-status-to-metadata

api/gloo/gloo/external/envoy/extensions/filters/http/jwt_authn/v3/config.proto

@@ -212,6 +212,21 @@ message JwtProvider {
   // Specify the clock skew in seconds when verifying JWT time constraint,
   // such as `exp`, and `nbf`. If not specified, default is 60 seconds.
   uint32 clock_skew_seconds = 10;
+
+  // If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata
+  // in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn``
+  // The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message``
+  // and they will contain the JWT authentication failure status code and a message describing the failure.
+  //
+  // For example, if failed_status_in_metadata is ``my_auth_failure_status``:
+  //
+  // .. code-block:: yaml
+  //
+  //   envoy.filters.http.jwt_authn:
+  //     my_auth_failure_status:
+  //       code: 3
+  //       message: Jwt expired
+  string failed_status_in_metadata = 11;
 }
 
 // This message specifies how to fetch JWKS from remote and how to cache it.

api/gloo/gloo/v1/enterprise/options/jwt/jwt.proto

@@ -100,6 +100,13 @@ message Provider {
 
     // Optional: ClockSkewSeconds is used to verify time constraints, such as `exp` and `npf`. Default is 60s
     google.protobuf.UInt32Value clock_skew_seconds = 8;
+
+    // Optional: If this field is not empty, the JWT failure status code and message are added to DynamicMetadata under the provided value.
+    // This is particularly useful when logging the status with access logs.
+    //
+    // For example, if the value of `attach_failed_status_in_metadata` is 'custom_auth_failure_status' then
+    // the status can be accessed in the access log as '%DYNAMIC_METADATA(envoy.filters.http.jwt_authn:custom_auth_failure_status:message)'
+    string attach_failed_status_in_metadata = 9;
 }
 
 message Jwks {