Configuring JWT with requestauthentication does not work in istio 1.5

About using JWT, I created requestauthentication, which is configured as follows:


apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "http://istiojwt:8080/istiojwt/jwk"

In the example, jwksuri is a program I wrote, which returns jwks JSON, but after configuration, it doesn’t work.
If you change jwksuri to jwks, it works.


Does anyone know why

The cause of this problem has been found:

he above problem about jwksUri is invalid, mainly due to the operation mechanism of RequestAuthentication. When the RequestAuthentication configuration takes effect,
jwksUri is triggered every 20 minutes by RequestAuthentication to get the latest new jwks.

Here is the configuration that has taken effect:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  jwtRules:
  -issuer: "testing@secure.istio.io"
    jwksUri: "http://172.168.50.229:8081/istiojwt/getJWK"
  # forwardOriginalToken: true
  MutualTls:
    mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  action: ALLOW
  rules:
  -from:
    -source:
       requestPrincipals: ["*"]
  • jwksUri: “http: // http://172.168.50.229:8081/ istiojwt / getJWK” is the jwt service I wrote. This address is triggered every 20 minutes by RequestAuthentication to generate new jwks and tokens (stored in redis on the server). The valid time of the token is greater than or equal to 20 minutes.

  • The jwt service provides the “/ istiojwt / getToken” interface, which returns the token cached by the server.

hi I have the same outcome in istio 1.10
when I declare the requestAuthentication on the ingress workflow it works perfectly
but when I try to declare it on a specific service workflow on another namespace (default instead of istio-system) it is ignored. adding the same AuthorizationPolicy that verifies the jwt exists that works on the ingress. fails every command on the specific workflow…