End user authentication using JWT throws 401 unauthorized for few attempts before being successful

navrem · March 20, 2020, 4:08am

Our kubernetes cluster is running Istio 1.4.0. End user authentication is setup as below

kind: Policy
apiVersion: authentication.istio.io/v1alpha1
metadata:
  name: k8s-auth-policy
  namespace: products
spec:
  targets:
    - name: products-svc
  origins:
    - jwt:
        issuer: 'https://sts.windows.net/<tenentid>/'
        jwksUri: >-
          https://login.microsoftonline.com/<tenentid>/discovery/v2.0/keys
        triggerRules:
          - excludedPaths:
              - prefix: /swagger/

Client obtain the auth token from auth provider and its issued by is same as https://sts.windows.net/<tenentid>/ first few calls after obtaining new jwt token fails with message
Origin authentication failed. and after a while all the calls succeeds. There are 10 istio sidecars running for the service products-svc.

Any reason why this is happening?

catman002 · March 23, 2020, 9:15am

Reference resources

Topic		Replies	Views
End-user JWT authentication bypassing authentication Security	1	574	October 16, 2019
Istio JWT Auth - Origin authentication failed	6	3437	July 9, 2020
OIDC callback URI for Istio Security security	0	550	July 29, 2021
Istio (1.6.2) : RBAC Access Denied for Valid JWT Token Security security	16	3447	July 29, 2020
JWT first party/third party	1	1627	May 19, 2022

End user authentication using JWT throws 401 unauthorized for few attempts before being successful

Related topics