Page MenuHomePhabricator
Create Task
Maniphest T405578

api-gateway helm chart: use JWT to determine rate limit for rest routes
Closed, ResolvedPublic
Actions

Description

The rate limiting for the rest gateway should be based on trusted information. The user's identity and rate limiting class should be based on information from the JWT (the sub and rls fields, compare T399198#11006680).

Since we need the ability to fall back to an anonymous identity (using the IP address as the user ID), it is probably necessary to use a Lua filter in the Envoy config to process the data from the JWT. To achieve this, we can use Envoy's "dynamic meta-data" feature to plumb the JWT payload through to the Lua code, where it can then be used to inject artifical request headers for use by the rate limiting configuration.

For the JWT provider config we can use the one already present in the config for use with api.wikimedia.org. The new JWT session cookies (T398815) use the same key pair.

Implementation sketch:

  • use payload_in_metadata in the JWT provider config to instruct Envoy to store the JWT payload.
  • use request_handle:streamInfo() and streamInfo:dynamicMetadata() to access the JWT payload in Lua
  • use the information from the metadata to generate the x-wmf-user-id and x-wmf-user-class in Lua
NOTE: perhaps we should we change x-wmf-user-class to x-wmf-user-rlc to avoid confusion with other kinds of "user classes". "rlc" stands for "rate limiting class" and is used as the paylod key in the JWT.

Details

Other Assignee
daniel
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
rest-gateway: remove support for insecure user ID cookiesoperations/deployment-chartsmaster+28 -98
rest-gateway: re.apply "add support for sessionJwt cookies"operations/deployment-chartsmaster+119 -9
api-gateway: Re-apply "Rest-gateway Read `ratelimit_class` and `user_id` from JWT"operations/deployment-chartsmaster+220 -6
api-gateway: Rest-gateway Read `ratelimit_class` and `user_id` from JWToperations/deployment-chartsmaster+220 -6
Customize query in gerrit

Related Objects
Search...

Event Timeline

daniel created this task.Sep 25 2025, 11:58 AM

I have tried to implement this approach in https://gitlab.wikimedia.org/daniel/rlstools/-/tree/main/environments/envoy-helm/config, but failed to make it work. I must have olverlooked some detail. The Lua code would always spit out "No JWT data!".

daniel updated the task description. (Show Details)Sep 25 2025, 12:00 PM
Tgr subscribed.Sep 25 2025, 12:09 PM

Note that the OAuth 2 access tokens use a different format for their sub claim. Fixing that is T399199: Update OAuth 2.0 sessions to include new JWT session data from core.

pmiazga moved this task from Inbox, needs triage to In progress (DO NOT USE) on the MediaWiki-Platform-Team board.Sep 25 2025, 2:02 PM
gerritbot added a comment.Sep 30 2025, 4:01 PM

Change #1192579 had a related patch set uploaded (by Pmiazga; author: Polishdeveloper):

[operations/deployment-charts@master] api-gateway: Rest-gateway Read `user_class` and `user_id` from JWT

https://gerrit.wikimedia.org/r/1192579

gerritbot added a project: Patch-For-Review.Sep 30 2025, 4:01 PM
pmiazga added a comment.Oct 6 2025, 9:15 AM

Cross linking https://phabricator.wikimedia.org/T399632 - we can use the sub claim to get user_id, but we still need to define the claim name for rate limit class.

daniel edited parent tasks, added: T398919: Epic: API rate limiting dry run (WE5.1.3b); removed: T405544: Add support for rate limiting rest gateway routes to api-gateway helm chart.Oct 6 2025, 2:42 PM
daniel edited parent tasks, added: T405544: Add support for rate limiting rest gateway routes to api-gateway helm chart; removed: T398919: Epic: API rate limiting dry run (WE5.1.3b).
daniel closed subtask T406624: Create a mediawiki maintenance script for generating JWT tokens as Resolved.Oct 30 2025, 5:56 PM
daniel changed the task status from Open to In Progress.Nov 7 2025, 12:00 PM
daniel mentioned this in T406498: Test api rate limiting on production cluster.Nov 12 2025, 12:05 PM
OWresch-WMF edited projects, added MediaWiki-Platform-Team (Q3 Kanban Board); removed MediaWiki-Platform-Team.Nov 21 2025, 11:44 AM
OWresch-WMF moved this task from Essential Work to In Progress on the MediaWiki-Platform-Team (Q3 Kanban Board) board.
daniel added a comment.Jan 6 2026, 3:17 PM

It looks like we may need to use a different issuer for jwt cookis, due to a lomitation in envory:

  • for cookies, we want to igore feailed (expired) tokens, while we want to reject them when they come from an Authorization header.
  • we want to be able to distinguish between session tokens and header based auth wrt rate limits.
  • to achieve thse two things, itl ooks like we need to define two "providers" in envoy, one useing the header and one using the cookie.

The docs have a note that says that two providers can't have the same issuer, at last now when using allow_missing, which we need to do.

daniel claimed this task.Jan 9 2026, 12:31 PM
gerritbot added a comment.Jan 23 2026, 4:15 PM

Change #1192579 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: Rest-gateway Read `ratelimit_class` and `user_id` from JWT

https://gerrit.wikimedia.org/r/1192579

Maintenance_bot removed a project: Patch-For-Review.Jan 23 2026, 4:31 PM
gerritbot added a comment.Jan 26 2026, 12:09 PM

Change #1233154 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] api-gateway: Re-apply "Rest-gateway Read `ratelimit_class` and `user_id` from JWT"

https://gerrit.wikimedia.org/r/1233154

gerritbot added a project: Patch-For-Review.Jan 26 2026, 12:09 PM

Change #1233155 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest-gateway: re.apply "add support for sessionJwt cookies"

https://gerrit.wikimedia.org/r/1233155

MLechvien-WMF created subtask T416205: Deploy Production JWT key on staging cluster.Feb 2 2026, 4:27 PM
MLechvien-WMF closed subtask T416205: Deploy Production JWT key on staging cluster as Resolved.Feb 4 2026, 12:38 PM
gerritbot added a comment.Feb 4 2026, 2:49 PM

Change #1233154 merged by jenkins-bot:

[operations/deployment-charts@master] api-gateway: Re-apply "Rest-gateway Read `ratelimit_class` and `user_id` from JWT"

https://gerrit.wikimedia.org/r/1233154

gerritbot added a comment.Feb 4 2026, 2:49 PM

Change #1233155 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: re.apply "add support for sessionJwt cookies"

https://gerrit.wikimedia.org/r/1233155

Maintenance_bot removed a project: Patch-For-Review.Feb 4 2026, 3:31 PM
daniel closed this task as Resolved.Feb 4 2026, 6:38 PM

Merged and deployed

gerritbot added a comment.Feb 5 2026, 6:56 PM

Change #1237295 had a related patch set uploaded (by Daniel Kinzler; author: Daniel Kinzler):

[operations/deployment-charts@master] rest-gateway: remove suppotr for insecure user ID cookies

https://gerrit.wikimedia.org/r/1237295

gerritbot added a project: Patch-For-Review.Feb 5 2026, 6:56 PM
gerritbot added a comment.Feb 25 2026, 10:29 AM

Change #1237295 merged by jenkins-bot:

[operations/deployment-charts@master] rest-gateway: remove support for insecure user ID cookies

https://gerrit.wikimedia.org/r/1237295

Maintenance_bot removed a project: Patch-For-Review.Feb 25 2026, 10:30 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits