Migrate jwt_verify_lib from github.com/google/jwt_verify_lib to Envoy internal

[Copilot]

The github.com/google/jwt_verify_lib repository has been archived. This PR migrates the library code into Envoy's codebase to eliminate the external dependency.

Changes

New Internal Library

• Added source/extensions/filters/http/common/jwt/ containing:
  • status.h/cc, jwt.h/cc, jwks.h/cc, verify.h/cc
  • check_audience.h/cc, struct_utils.h/cc
  • simple_lru_cache.h, simple_lru_cache_inl.h

Namespace Migration

Original	New
google::jwt_verify	Envoy::Extensions::HttpFilters::Common::JwtVerify
google::simple_lru_cache	Envoy::Extensions::HttpFilters::Common::JwtVerify::SimpleLruCache

Updated Consumers

• jwt_authn filter
• oauth2 filter
• gcp_authn filter
• common/jwks_fetcher

Removed External Dependency

• com_github_google_jwt_verify from bazel/repository_locations.bzl
• _com_github_google_jwt_verify() from bazel/repositories.bzl
• bazel/jwt_verify_lib.patch

Usage

Consumer code uses namespace aliases for compatibility:

namespace JwtVerify = Common::JwtVerify;

JwtVerify::Status status;
JwtVerify::Jwt jwt;
auto jwks = JwtVerify::Jwks::createFrom(body, JwtVerify::Jwks::Type::JWKS);

Documentation

See docs/NAMESPACE_MIGRATION_DIFF.md for complete migration details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/google/jwt_verify_lib/git/trees/b59e8075d4a4f975ba6f109e1916d6e60aeb5613
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

The github.com/google/jwt_verify_lib have been archived, it's it's depended by the jwt_authn filter. Please migrate the code to the envoy and created a PR.

1. dont change any logic but could update the namespace of the code from github.com/google/jwt_verify_lib to adapt to Envoy.
2. attach the diff of between the the original code in the github.com/google/jwt_verify_lib and new migrated code in the Envoy.
3. also need to clean up the dependency in the bzl file.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.