Hello,
I am integrating Keycloak with Istio Security as of version 1.4.3, I would like to access the permissions from the payload of JWT, but cannot access the deeper json path scopes.
The payload from JWT as below:
{
"jti": "b8063b15-8a8e-4717-b3a9-33d466628b1f",
"exp": 1581788041,
"nbf": 0,
"iat": 1581780841,
"aud": "bookinfo",
"typ": "Bearer",
"auth_time": 0,
"acr": "1",
**"permissions": [
{
"scopes": [
"httpbin:headers"
],
"rsid": "b7e88219-2adf-4d70-baad-6d5386d4606a",
"rsname": "httpbin"
}**
],
"active": true
}
The config of AuthorizationPolicy as below, if a request to httpbin/headers, the ISTIO security would check the json path of request.auth.claims.permissions.scopes to see whether with the value of “httpbin:headers” assigned, but it seems request.auth.claims only supports the 1st tier key and the value of string map.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: api-gateway-httpbin
spec:
selector:
matchLabels:
app: httpbin
rules:
- from:
- source:
namespaces: ["istio-system"]
to:
- operation:
paths: ["/headers"]
when:
**- key: request.auth.claims[permissions][scopes]** It seems doesn't work, how to config it correctly or current not support?
values:
- httpbin:headers
Thank you in advance!
Anderson