Hi all, I’m trying to step through the AuthService example with BookInfo and have a few questions. The current example relies on a Policy resource which I believe was deprecated in favor of the new AuthN API resources: AuthorizationPolicy and RequestAuthentication. Are the following manifests appropriate replacements?
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: bookinfo-productpage
namespace: bookinfo
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: https://kubernetes.docker.internal/auth/realms/example
jwksUri: https://kubernetes.docker.internal/auth/realms/example/protocol/openid-connect/certs
principalBinding: USE_ORIGIN
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bookinfo-productpage
namespace: bookinfo
spec:
selector:
matchLabels:
app: productpage
# rules:
# - from:
# - source:
# requestPrincipals: ["*"]
If so, I can submit a PR to address this. Just wanted to make sure I was implementing them correctly first.
Second, I am using Keycloak as my OIDC provider. You can see my JWT Issuer rules in the RequestAuthentication resource above. If these lines are commented out, /productpage
will return a 403. If they are NOT commented out, /productpage
will return a 200. This seems strange to me as the docs suggest I should expect a 401 when requests are being denied. Furthermore, why are requests being allowed when I add the JWT rule and denied when it is absent?