Hi.
I`m trying to use okta and aws alb, istio to authenticate internal office web application using Okta.
I`ll summarize my test environment.
- Okta : XXXX.okta.com
- ALB : OIDC Configuration with Okta OIDC Application
- Istio
RequestAuthentication
AuthorizationPolicy
[Flow]
User access to app → Okta Redirect → Okta Login → Can Access to app
Browser (Chrome, etc) → AWS ALB → Istio Gateway → Pod(httpbin)
- Okta + AWS ALB : Success.
But The application seems to be working well after Okta login without a session or cookie, but it seems to be unstable after session timeout expired.
- Okta + Istio : Not succeed.
I referred to many documents and blogs.
I think Istio Proxy pod does not receive JWT related metadata.
2.1 Configuration
I set up these istio configurations.
and i set RequestAuthentication`s issuer and jwksUri from below url
https://XXXXX.okta.com/.well-known/openid-configuration
I wanted to redirect to okta when jwt token does not exist using AuthoricationPolicy.
so i set from - requestPrinciples to https://XXX.okta.com/*
2.1.1 RequestAuthentication
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: okta-aws-nginx
namespace: oktademo
spec:
selector:
matchLabels:
app: nginx
jwtRules:
- issuer: "https://XXXX.okta.com"
jwksUri: "https://XXXX.okta.com/oauth2/v1/keys"
# forwardOriginalToken: true
# fromHeaders:
# - name: x-amzn-oidc-accesstoken
2.1.2 AuthorizationPolicy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: okta-aws-nginx
namespace: oktademo
spec:
selector:
matchLabels:
app: nginx
action: ALLOW
# rules:
# - when:
# - key: request.auth.claims[iss]
# values: ["*"]
rules:
- from:
- source:
requestPrincipals:
- "https://XXXXX.okta.com/*"
- Related failed logs
But it fails.
[1] Chrome Browser
upstream connect error or disconnect/reset before headers. reset reason: connection termination
[2] Isito-Proxy logs
Set debug to rbac, jwt
./bin/istioctl proxy-config log deploy/nginx-deployment --level “rbac:debug,jwt:debug”
[nginx-deployment-7f78dbff-x668f istio-proxy] 2022-10-11T16:11:08.000979Z debug envoy jwt Loaded JwtAuthConfig: providers {
[nginx-deployment-7f78dbff-x668f istio-proxy] key: "origins-0"
[nginx-deployment-7f78dbff-x668f istio-proxy] value {
[nginx-deployment-7f78dbff-x668f istio-proxy] issuer: "https://XXXXX.okta.com"
[nginx-deployment-7f78dbff-x668f istio-proxy] local_jwks {
[nginx-deployment-7f78dbff-x668f istio-proxy] inline_string: "{\"keys\":[{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"Us9Gmge0eo-39r0YHAi1nOahHRwrQL_QJIhdyKX-AmI\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"lQqE1CxZVPCvuakk3BRWQvVG4PhzjdRsv-tAdQYhbIusAcn6TMbiwcouKR02umfqvBLy2g6E8yuqAAMCtQmXn685_TAudFUp45mNwYKJ9Ae9GcnnKzoX6GPaFE90Ww4E2NsS3Bv7qI4e_4fy-vIeHwy3MCE_7tcz_M3WOZP66JIA4N_57CfggyGfoTSb9RjjUBpYxykJpQGoq2IxAEaycixSBl2wvt8t6FGZC83Ksi2CWdnp6R20LWtFRpGflL_tJds53n3iSdDM_wgjkEkVolKUvVCK5_fJZs6r2GgD0xbrES4suH_L3iEy9GaWiYUqc1R4UAdwPkSbabkjPfVp-w\"},{\"kty\":\"RSA\",\"alg\":\"RS256\",\"kid\":\"3Yj--pRVzv5leQY9Uc8tPZzTfwvvtAoZWi6UF7FchcU\",\"use\":\"sig\",\"e\":\"AQAB\",\"n\":\"pDceZMLHojXLizoyNkDdBH2QbUErJj6qsDZoQTh361Xnrkk65NJzIkqwaFWYLjkJ9H-UgZlOPjEBf65nKeldtMeDTUl3cWrTQTnCWhlnQG5ou5laeGrTdWJ0B_lx0-XVKi59P7lD5vM_P5rKRi9hytqS8H1trtXx1rq7F6kjzHisXn4m2UCEEOQd9_g8lulGm683kCZ4e2UsilElW9RjWUM9ifA0Xgary4pqUbpcBGUqe6KEunSXWg6XfIs2yQYXVTBg-VHnPqQBlSFcGdCf1k8fph0ZbbS_j915ZqBO_sHWxpXEOO4ZmMY8APrXvCTagNCUvyMTauJJPQlL1NmHVw\"}]}"
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] payload_in_metadata: "https://XXX.okta.com"
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] rules {
[nginx-deployment-7f78dbff-x668f istio-proxy] match {
[nginx-deployment-7f78dbff-x668f istio-proxy] prefix: "/"
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] requires {
[nginx-deployment-7f78dbff-x668f istio-proxy] requires_any {
[nginx-deployment-7f78dbff-x668f istio-proxy] requirements {
[nginx-deployment-7f78dbff-x668f istio-proxy] provider_name: "origins-0"
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] requirements {
[nginx-deployment-7f78dbff-x668f istio-proxy] allow_missing {
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] }
[nginx-deployment-7f78dbff-x668f istio-proxy] }
..
..
..
[nginx-deployment-7f78dbff-x668f istio-proxy] 2022-10-11T16:11:24.847523Z debug envoy rbac checking connection: requestedServerName: outbound_.80_._.nginx.oktademo.svc.cluster.local, sourceIP: 10.240.28.163:56158, directRemoteIP: 10.240.28.163:56158,remoteIP: 10.240.28.163:56158, localAddress: 10.240.28.56:80, ssl: uriSanPeerCertificate: spiffe://cluster.local/ns/istio-system/sa/istio-ingressgateway-okta-alb-service-account, dnsSanPeerCertificate: , subjectPeerCertificate: , dynamicMetadata:
[nginx-deployment-7f78dbff-x668f istio-proxy] 2022-10-11T16:11:24.847775Z debug envoy rbac enforced denied, matched policy none
[nginx-deployment-7f78dbff-x668f istio-proxy] 2022-10-11T16:18:37.933633Z warning envoy config StreamAggregatedResources gRPC config stream closed: 14, closing transport due to: connection error: desc = "error reading from server: EOF", received prior goaway: code: NO_ERROR, debug data:
[nginx-deployment-7f78dbff-x668f istio-proxy] 2022-10-11T16:18:38.177432Z info xdsproxy connected to upstream XDS server: istiod.istio-system.svc:15012
When i tried ‘ipBlocks’ in authorization policy, it success.
Is there any issue on my configuration?
or I want to debug Why ‘source - requestPrincipals’ Does not applied.
how can i see usable ‘requestPrinciple’ value ?
Thanks.