AuthorizationPolicy not Enforced

I’m using Istio 1.7 with the Ingress Gateway and Envoy Proxy sidecars on my workload.

On my Ingress Gateway, I’ve enabled JWT validation with this.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: tenna-oidc-userpool
  namespace: alb-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  jwtRules:
  - forwardOriginalToken: true
    issuer: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_jkfldsjkl

I’ve verified the Ingress Gateway is able to confirm JWT signatures/expirations and so forth. I’m also able to open selected routes to not be filtered by authentication like so.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: global-healthcheck-policy
  namespace: alb-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:
        paths: ["/healthz", "/stats/prometheus"]

But when I go and try to do more complex things to control resources dependent on JWT claims, the rules aren’t enforced for me. I’m not sure what I’m doing wrong.

I’ve tried this where I want to allow request to a certain path only if the email claim in my JWT matches. The request that should have been caught by this policy is allowed to go through even if my email is me@abc.com

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingestion-bobber-admin-policy
  namespace: alb-system
spec:
  action: ALLOW
  selector:
    matchLabels:
      app: istio-ingressgateway
  rules:
  - to:
    - operation:
        paths: ["ingestion/bobber/admin"]
    when:
      - key: request.auth.claims[email]
        values: ["*@xyz.com"]

I’ve also tried using a DENY action like this and still no dice.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ingestion-bobber-admin-policy
  namespace: alb-system
spec:
  action: DENY
  selector:
    matchLabels:
      app: istio-ingressgateway
  rules:
  - to:
    - operation:
        paths: ["ingestion/bobber/admin"]
    when:
      - key: request.auth.claims[email]
        notValues: ["*@xyz.com"]

Can anyone point me in the right direction on what I’m doing wrong? Also what would be a good way to analyze the rules and enforcement. I don’t see anything coming out of the envoy logs. But would like to see which part of the rule is failing or if the rule is even being activated for a request.

In your RequestAuthentication policy, it seems you didn’t specify the jwksUri field to provide the jwks for validating your JWT token?

The jwksUri is optional. It uses the OpenID API contract standards when not supplied to calculate the public key API path.