Hi,
i need to implement istio jwt validation for a SINGLE microservice that expose different paths, i would like to have a one generic authorization policy to enable jwt for all endpoint :
i.e:
/ciao
/hi
/hello
/bonjour
and i have the need to exclude a single path from jwt and check with another AuthorizationPolicy the authorization basic header :
i.e.
/ciao/italia/
so i tested different way to have the authorizationpolicy where in one i enable jwt validation for all paths ["*"] and then exclude with notPaths["/ciao/italia]"] from jwt but it’s not working, one of the way is:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt
namespace: foo
spec:
action: ALLOW
rules:
to:
operation:
paths: ["/*"]
operation:
notPaths: ["/ciao/italia*"]
when:
key: request.auth.claims[realm_access][group]
values:
Claim
selector:
matchLabels:
app: httpbin
i gave a look to all these resource but nothing helped me :
opened 07:10AM - 21 Sep 20 UTC
closed 07:10AM - 23 Sep 20 UTC
kind/enhancement
area/security
**Describe the feature request**
I am using the RequestAuthentication API at the… Istio Ingress Gateway to enforce clients to present a valid JWT token. This is working fine.
However there are some workloads within the cluster which need to be exposed without the need to have a valid JWT token. One such workload is Keycloak which serves as the OAuth provider. Keycloak is responsible for issuing tokens, so clients accessing the Keycloak's path (/auth) can NEVER present a valid JWT token. Similarly there could be other paths that I need to expose without JWT token.
In the RequestAuthentication API, there are no fields to specify excluded paths. See below the API specification in version 1.7:-
https://istio.io/latest/docs/reference/config/security/request_authentication/
In the legacy Authentication API (in Istio version 1.4) it had support for excluded paths. See below link for the API specification in Istio 1.4:-
https://istio.io/v1.4/docs/reference/config/security/istio.authentication.v1alpha1/
See below text from above link:-
>A JWT for all requests except request at path /health_check and path with prefix /status/. This is useful to expose some paths for public access but keep others JWT validated.
>
>issuer: https://example.com
>jwksUri: https://example.com/.well-known/jwks.json
>triggerRules:
>- excludedPaths:
> - exact: /health_check
> - prefix: /status/
**However when the API's were re-designed in Istio 1.5, this functionality is missing.**
Find below the YAML manifests of RequestAuthentication and AuthorizationPolicy I am using (these manifests enforce JWT authentication for ALL paths and specifically would permit access to path /nginx subject to meeting the rules defined in the authorization policy):-
```yaml
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: my-request-authentication
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
jwtRules:
- issuer: "https://www.example.com/auth/realms/mxe"
jwksUri: "https://www.example.com/auth/realms/mxe/protocol/openid-connect/certs"
```
```yaml
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-authorization-policy
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
requestPrincipals: ["https://www.example.com/auth/realms/mxe/4374027b-f16e-4da1-8445-b0ebd09f5905"]
to:
- operation:
paths: ["/nginx"]
```
**Describe alternatives you've considered**
The moment I install a ReqestAuthentication object and an AuthorizationPolicy object, Ingress Gateway expects EVERY request to fulfill the JWT rules specified in ReqestAuthentication. I don't know if my requirement can be achieved in an alternate manner using the existing APIs.
If there are alternate ways to fulfil my requirement, I would be glad if someone can point me towards that.
[ ] Docs
[ ] Installation
[ ] Networking
[ ] Performance and Scalability
[ ] Extensions and Telemetry
[X] Security
[ ] Test and Release
[ ] User Experience
[ ] Developer Infrastructure
**Additional context**
What i found suspicios is that istio if there is wildcard entry in paths["*"] it’s not able to exclude the path that is contained in notPaths.
In this example, istio can exclude the path but if only we specify the paths not the wildcard in any path statement - Disable RequestAuthentication JWT rules for specific paths · Issue #27432 · istio/istio · GitHub .
so i tested different way to have the authorizationpolicy where in one i enable jwt validation for all paths [“*”] and then exclude with notPaths[“/ciao/italia]”] from jwt but it’s not working
You can create an authz policy with 2 rules, the first rule uses notPaths: ["/ciao/italia"]
to whitelist the path (do not require jwt) and the 2nd rule to use paths: ["*"]
to require jwt on all paths.
If you can format your example policy using the ``` it would be easier to see but I suspect the issue is you are using only 1 rule instead of 2 which means all the paths are required for jwt.
Thanks, it worked!
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: jwt-test
spec:
selector:
matchLabels:
app: test
action: ALLOW
rules:
- to:
- operation:
methods:
- POST
paths:
- /ciao/italia/*
- to:
- operation:
methods:
- POST
paths:
- /hello/uk*
- to:
- operation:
paths: ["*"]
when:
- key: request.auth.claims[realm_access][group]
values: ["Test"]
This a rough copy of what worked with you precious inputs.