forwardOriginalToken: true does not work

Hi All

I am setting the following def.But somehow my token is not getting forwarded.I can see the request at ingressgateway but can not see it getting forwarded to the backedn service.

apiVersion: “security.istio.io/v1beta1
kind: “RequestAuthentication”
metadata:
name: “jwt-example”
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:

  • issuer: http://xxxxxx…/auth/realms/istio
    jwksUri: http://xxxxxx…/auth/realms/istio/protocol/openid-connect/certs
    forwardOriginalToken: true

cc @diemtvu for JWT RequestAuthentication.

I’ve verified that it’s working fine with 1.5.0 and 1.5.1.

Can you confirm that the ingress envoy config was setup correclty. E.g, you can get the config dump with this command:

istioctl proxy-config listener istio-ingressgateway-<redacted> -n istio-system -o json --port 80

And looking for the envoy.filters.http.jwt_authn filter.

Hi diemtvu

Thanks for your response .I looked it into more details .I found that on applying selector all the policies gets generate in productpage proxy but it does not forward token from ingressgateway to productpage.If I remove the selector ,it works.

##########################################
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: reqauth-istio-system
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:

regards
S

@diemtvu what would you do if you apply the RequestAuthentication above and do the config dump and you don’t see envoy.filters.http.jwt_authn