I am using RequestAuthentication with my internal JWT to authenticate the requests. I also have some endpoints in my micro service system which need to be exposed without authentication, for this reason, I included an AuthorizationPolicy to allow the access without a valid token.
Having this working just fine, I now need to include specific AuthorizationPolicies for each micro service, so I can properly include SCOPES in my JWT and only allow access for specific users.
This is my current configuration:
--- apiVersion: "security.istio.io/v1beta1" kind: "RequestAuthentication" metadata: name: default namespace: istio-system spec: selector: matchLabels: istio: ingressgateway jwtRules: - issuer: "my_company" jwksUri: "jwks_uri" fromHeaders: - name: Authorization prefix: "Bearer " forwardOriginalToken: true
--- apiVersion: "security.istio.io/v1beta1" kind: "AuthorizationPolicy" metadata: name: default namespace: istio-system spec: selector: matchLabels: istio: ingressgateway action: ALLOW rules: - when: - key: "request.auth.claims[iss]" values: ["my_company"] - from: - source: notRequestPrincipals: ["*"] to: - operation: methods: ["OPTIONS"]
And what I was doing to include this new extra AuthorizationPolicy is:
apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: my-microservice-authorization namespace: default spec: selector: matchLabels: app: my-microservice-service action: ALLOW rules: - from: - source: requestPrincipals: ["my_company"] when: - key: "request.auth.claims[scopes]" values: ["CAN_DELETE"] to: - operation: methods: ["DELETE"]
The main problem is that, I am able to access the specific endpoint when only using the to a specific method, but I always get RBAC: access denied when including the from and/or when.
Is there something that I am missing?