Authorization Policy rule values from request headers

r.krishnakumar · April 26, 2022, 7:57am

Currently Authorization policy rules condition values are only supported with static string values, what I need is to verify the request header value with JWT claims. Is there any way I can check the same per http route

Looking for something like below

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: detail-auth
  namespace: bookinfo
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: details
  rules:
  - to:
    - operation:
        methods: ["GET"]
        paths: ["/details/*"]
    when:
    - key: request.auth.claims[permissions]
      values: request.headers[x-customer-id] -> is it possible to do like this?
    - key: request.auth.claims[permissions]
      values: [PAYMENTS_READ]

r.krishnakumar · April 27, 2022, 12:37pm

What i need is to verify the values from the request header and compare it with the token claims. Also would it be possible to decode the JWT token claim using the values from the request header.

 when:
    - key: request.auth.claims[permissions][request.headers[x-customer-id]] -> is it possible to do like this?
      values: [INVOICE_READ]

can we dynamically decode the JWT permission claims rather than using the static string

Topic		Replies	Views
Does Authorization Policy Conditions support object array value for request.auth.claims? Security	1	965	August 11, 2020
Istio authorization trying to Match multiple values using request.headers condition	0	584	August 16, 2020
Istio 1.5 JWT claim in AuthorizationPolicy Security	8	1591	April 16, 2020
Istio set token claims as header to upstream Security security	1	1336	July 11, 2022
How to validate token header by path RequestAuthentication	2	707	December 1, 2021

Authorization Policy rule values from request headers

Related Topics