Hi there, is it possible to create a JWT blacklist for the below scenarios, if so how?
1, jwt is compromised
2, used being deleted by the admin
3, info in the JWT is updated by the admin such as roles
I have been googling and spent the whole day reading through blogs, unfortunately, there are very few articles describing this scenario. Some mentioned to resolve this issue by leveraging mixer, nevertheless I know Mixer adaptor is going to be deprecated soon.
We’re solving this issue using the Envoy ext_authz built in filter type combined with a service that stores blacklisted tokens and returns a 403 if the token is invalid.
You can also use AuthorizationPolicy with deny action, for example, you can deny JWT token with claim “user: admin1” on the ingress gateway with the following policy:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: deny-jwt
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
action: DENY
rules:
when:
- key: request.auth.claims[user]
values: ["admin1"]