Is RequestAuthentication necessary on the same workload as AuthorizationPolicy that uses token metadata?


I’m finding that it’s necessary to select a workload with a RequestAuthentication in order for metadata about a jwt to be available to AuthorizationPolicies that also select that workload, is that correct? This is what I’m seeing on most examples, including in the documentation.

I had initially been under the impression I could attach the RequestAuthentication to the ingress gateway (which is sending requests on to a number of services), let it validate and then forward the original token, and attach AuthorizationPolicies to each of those individual services, which would be looking for different claims in the token metadata. However when I set things up this way, the envoy.filters.http.jwt_authn and istio_authn metadata aren’t present at the envoy proxy for the upstream services.

Selecting the upstream services with the same RequestAuthentication as on the gateway allows the AuthorizationPolicies to work as expected, but now the jwt is being validated twice, unnecessarily.

I understand that I could either do the RequestAuthentication and AuthorizationPolicies together at only the ingress gateway or only the individual services, but I do really like the idea of separation between validating jwts on requests at the ingress gateway, and allowing requests based on the jwt claims at each service.

I’m hoping to get some input around:

  • if my observations are correct and expected
  • what a generally idiomatic approach is for this.

Thanks a lot!