Blacklist JWT token

I have Istio setup with JWT end user authentication on the ingress gateway.

I see that it is possible to blacklist a user by using the source.principal attribute but I was wonder if it would be possible to blacklist a token by using the JTI? Can I setup a rule that could add this value to the request headers or make a custom attribute?

Thank you for your help.

1 Like

Hey Bryan, have you worked this issue out by any chance?

I was able to configure a black list sourced from our authentication service.

apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
  name: token-blacklist
spec:
  compiledAdapter: listchecker
  params:
    providerUrl: http://jwt-authentication.default.svc.cluster.local/api/v2/token/blacklist
    blacklist: true
    entryType: STRINGS
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
  name: tokenid
spec:
  compiledTemplate: listentry
  params:
    value: request.auth.claims["jti"] | "nobody"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
  name: auth-blacklist
spec:
  match: source.labels["istio"] == "ingressgateway" && (request.auth.principal | "nobody") != "nobody"
  actions:
  - handler: token-blacklist
    instances: [ tokenid ]