I have an AuthenticationPolicy implemented like this:
apiVersion: security.istio.io/v1beta1 kind: RequestAuthentication metadata: name: "jwt-example" namespace: istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: "firstname.lastname@example.org" jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.10/security/tools/jwt/samples/jwks.json"
By using AuthorizationPolicy I have some paths that require a valid token and some that don’t. The problem is that in some paths that don’t require a valid token the client is sending a request with a Authorization header with non-JWT token (the end application will handle this token), but in this case the RequestAuthentication is returning an 401 on because this non-JWT token is an invalid JWT.
I would like to know if there is a way how to bypass this token validation, at least in some paths.