Error adding/updating listener(s) virtualInbound: Provider 'origins-0' in jwt_authn config has invalid local jwks: Jwks RSA [n] or [e] field is missing or has a parse error

1

I’m trying to configure JWT request authentication with Istio and I got an error in istio-proxy that I can’t explain : Error adding/updating listener(s) virtualInbound: Provider ‘origins-0’ in jwt_authn config has invalid local jwks: Jwks RSA [n] or [e] field is missing or has a parse error

IdP : Keycloak
RequestAuthentication :

kind: RequestAuthentication
apiVersion: security.istio.io/v1beta1
metadata:
  name: nginx-demo-authentication
spec:
  selector:
    matchLabels:
      app: nginx-demo
  jwtRules:
    - forwardOriginalToken: true
      issuer: 'https://iam.erable.orange.com/auth/realms/erable'
      jwksUri: >-
        https://iam.erable.orange.com/auth/realms/erable/protocol/openid-connect/certs

jwksUri is correct and accessible from istiod-basic pod.

Any idea ?

2

Up. Any idea to resolve this issue ? Thanks

3

Currently I have the same issue, I think it’s a tls issue.The keycloak self signed cert is not accepted by istio.

4

@j-jeurissen I didn’t resolve this issue but a workaround is to put jwks keys in template file directly :

jwtRules:
    - forwardOriginalToken: true
      jwks: >-
        {"keys":[{"kid":"Pvh83pdmtHSbZhTgS84R...