forwardOriginalToken: true does not work

shrishs · April 7, 2020, 2:30pm

Hi All

I am setting the following def.But somehow my token is not getting forwarded.I can see the request at ingressgateway but can not see it getting forwarded to the backedn service.

apiVersion: “security.istio.io/v1beta1”
kind: “RequestAuthentication”
metadata:
name: “jwt-example”
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:

issuer: http://xxxxxx…/auth/realms/istio
jwksUri: http://xxxxxx…/auth/realms/istio/protocol/openid-connect/certs
forwardOriginalToken: true

leitang · April 8, 2020, 8:26am

cc @diemtvu for JWT RequestAuthentication.

diemtvu · April 13, 2020, 4:26am

I’ve verified that it’s working fine with 1.5.0 and 1.5.1.

Can you confirm that the ingress envoy config was setup correclty. E.g, you can get the config dump with this command:

istioctl proxy-config listener istio-ingressgateway-<redacted> -n istio-system -o json --port 80

And looking for the envoy.filters.http.jwt_authn filter.

shrishs · April 13, 2020, 5:11pm

Hi diemtvu

Thanks for your response .I looked it into more details .I found that on applying selector all the policies gets generate in productpage proxy but it does not forward token from ingressgateway to productpage.If I remove the selector ,it works.

##########################################
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: reqauth-istio-system
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:

forwardOriginalToken: true
issuer: http://xyz.de/auth/realms/istio
jwksUri: http://xyz.de/auth/realms/istio/protocol/openid-connect/certs
##########################################

regards
S

nfickas · April 24, 2020, 7:27pm

@diemtvu what would you do if you apply the RequestAuthentication above and do the config dump and you don’t see envoy.filters.http.jwt_authn

heiniham · March 7, 2022, 9:55pm

Hi

Having similar issue in our scenario the istio-ingressgateway is not able to forward the access token to upstream sidecar. I have applied Request Authentication with forwardOriginalToken and authorization policy to external provider on istio-ingressgateway, initial authentication is successful and also see the access token on istio-ingressgateway but it is not forwarding to upstream workload and I dont see any details on the sidecar istio-proxy logs. Can you let me know if you have resolved this issue?

Thanks,
Heini

Topic		Replies	Views
RequestAuthentication is not forwarding token Security	2	1731	April 8, 2020
EnvoyFilter in ingressgateway does not seem to work Security	5	2706	January 15, 2021
Struggling with JWT auth Security	1	678	January 4, 2022
Istio JWT authentication does not seem to be working Security	7	5722	January 27, 2021
JWT Policy does not take affect! Policies and Telemetry	24	5735	February 26, 2020

forwardOriginalToken: true does not work

Related topics