I have Istio setup with JWT end user authentication on the ingress gateway.
I see that it is possible to blacklist a user by using the source.principal
attribute but I was wonder if it would be possible to blacklist a token by using the JTI? Can I setup a rule that could add this value to the request headers or make a custom attribute?
Thank you for your help.
1 Like
Hey Bryan, have you worked this issue out by any chance?
I was able to configure a black list sourced from our authentication service.
apiVersion: config.istio.io/v1alpha2
kind: handler
metadata:
name: token-blacklist
spec:
compiledAdapter: listchecker
params:
providerUrl: http://jwt-authentication.default.svc.cluster.local/api/v2/token/blacklist
blacklist: true
entryType: STRINGS
---
apiVersion: config.istio.io/v1alpha2
kind: instance
metadata:
name: tokenid
spec:
compiledTemplate: listentry
params:
value: request.auth.claims["jti"] | "nobody"
---
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: auth-blacklist
spec:
match: source.labels["istio"] == "ingressgateway" && (request.auth.principal | "nobody") != "nobody"
actions:
- handler: token-blacklist
instances: [ tokenid ]