Configuring JWT with requestauthentication does not work in istio 1.5

catman002 · March 12, 2020, 5:07am

The cause of this problem has been found:

he above problem about jwksUri is invalid, mainly due to the operation mechanism of RequestAuthentication. When the RequestAuthentication configuration takes effect,
jwksUri is triggered every 20 minutes by RequestAuthentication to get the latest new jwks.

Here is the configuration that has taken effect:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  jwtRules:
  -issuer: "testing@secure.istio.io"
    jwksUri: "http://172.168.50.229:8081/istiojwt/getJWK"
  # forwardOriginalToken: true
  MutualTls:
    mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: istiobaseregion
spec:
  selector:
    matchLabels:
      app: istiobaseregion
  action: ALLOW
  rules:
  -from:
    -source:
       requestPrincipals: ["*"]

jwksUri: “http: // http://172.168.50.229:8081/ istiojwt / getJWK” is the jwt service I wrote. This address is triggered every 20 minutes by RequestAuthentication to generate new jwks and tokens (stored in redis on the server). The valid time of the token is greater than or equal to 20 minutes.
The jwt service provides the “/ istiojwt / getToken” interface, which returns the token cached by the server.

Topic		Replies	Views
Istio 1.7 - JWT authentication policy problem Security	8	1977	September 23, 2020
Istio JWT authentication does not seem to be working Security	7	5045	January 27, 2021
RequestAuthentication: Inexplicably solve error "Jwks doesn't have key to match kid or alg from Jwt"	2	7778	May 18, 2023
ISTIO JWT caching Security security	6	1967	August 10, 2022
Struggling with JWT auth Security	1	526	January 4, 2022

Configuring JWT with requestauthentication does not work in istio 1.5

Related Topics