Authorization Policy rule values from request headers

r.krishnakumar · April 26, 2022, 7:57am

Currently Authorization policy rules condition values are only supported with static string values, what I need is to verify the request header value with JWT claims. Is there any way I can check the same per http route

Looking for something like below

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: detail-auth
  namespace: bookinfo
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: details
  rules:
  - to:
    - operation:
        methods: ["GET"]
        paths: ["/details/*"]
    when:
    - key: request.auth.claims[permissions]
      values: request.headers[x-customer-id] -> is it possible to do like this?
    - key: request.auth.claims[permissions]
      values: [PAYMENTS_READ]

r.krishnakumar · April 27, 2022, 12:37pm

What i need is to verify the values from the request header and compare it with the token claims. Also would it be possible to decode the JWT token claim using the values from the request header.

 when:
    - key: request.auth.claims[permissions][request.headers[x-customer-id]] -> is it possible to do like this?
      values: [INVOICE_READ]

can we dynamically decode the JWT permission claims rather than using the static string

Topic		Replies	Views
Does Authorization Policy Conditions support object array value for request.auth.claims? Security	1	1058	August 11, 2020
Istio authorization trying to Match multiple values using request.headers condition	0	647	August 16, 2020
Istio 1.5 JWT claim in AuthorizationPolicy Security	8	1698	April 16, 2020
Istio set token claims as header to upstream Security security	1	1541	July 11, 2022
How to validate token header by path RequestAuthentication	2	833	December 1, 2021

Authorization Policy rule values from request headers

Related topics