Configuring JWT with requestauthentication does not work in istio 1.5

catman002 · March 11, 2020, 4:32am

About using JWT, I created requestauthentication, which is configured as follows:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "http://istiojwt:8080/istiojwt/jwk"

In the example, jwksuri is a program I wrote, which returns jwks JSON, but after configuration, it doesn’t work.
If you change jwksuri to jwks, it works.

Does anyone know why

catman002 · March 12, 2020, 5:07am

The cause of this problem has been found:

he above problem about jwksUri is invalid, mainly due to the operation mechanism of RequestAuthentication. When the RequestAuthentication configuration takes effect,
jwksUri is triggered every 20 minutes by RequestAuthentication to get the latest new jwks.

Here is the configuration that has taken effect:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  jwtRules:
  -issuer: "testing@secure.istio.io"
    jwksUri: "http://172.168.50.229:8081/istiojwt/getJWK"
  # forwardOriginalToken: true
  MutualTls:
    mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  action: ALLOW
  rules:
  -from:
    -source:
       requestPrincipals: ["*"]

jwksUri: “http: // http://172.168.50.229:8081/ istiojwt / getJWK” is the jwt service I wrote. This address is triggered every 20 minutes by RequestAuthentication to generate new jwks and tokens (stored in redis on the server). The valid time of the token is greater than or equal to 20 minutes.
The jwt service provides the “/ istiojwt / getToken” interface, which returns the token cached by the server.

sadonm · June 23, 2021, 1:06pm

hi I have the same outcome in istio 1.10
when I declare the requestAuthentication on the ingress workflow it works perfectly
but when I try to declare it on a specific service workflow on another namespace (default instead of istio-system) it is ignored. adding the same AuthorizationPolicy that verifies the jwt exists that works on the ingress. fails every command on the specific workflow…

Topic		Replies	Views
Istio 1.7 - JWT authentication policy problem Security	8	2249	September 23, 2020
Istio JWT authentication does not seem to be working Security	7	5739	January 27, 2021
RequestAuthentication: Inexplicably solve error "Jwks doesn't have key to match kid or alg from Jwt"	2	9855	May 18, 2023
ISTIO JWT caching Security security	6	2516	August 10, 2022
Struggling with JWT auth Security	1	680	January 4, 2022

Configuring JWT with requestauthentication does not work in istio 1.5

Related topics