Istio 1.5 JWT claim in AuthorizationPolicy

Hi,
I’m trying to allow access to an app only if you present a valid JWT token with a specific claim (request.auth.claims[preferred_username]).

Everything work but the conditional check: if the token is not provided I get a 403, if it’s expired i get a 401 … I would expect that if the JTW field is not preferred_username: “testuser2” I should get a 403 but actually I get a 200.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: backend
 namespace: default
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
  - issuer: "${KEYCLOAK_URL}/auth/realms/istio"
    jwksUri: "${KEYCLOAK_URL}/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: backend
 namespace: default
spec:
 selector:
   matchLabels:
     app: backend
 action: ALLOW
 rules:
 - from:
   - source:
       requestPrincipals: ["*"]
   when:
    - key: request.auth.claims[preferred_username]
      values: ["testuser2"]

It looks like the part when is ignored.

What am I missing? Is this the right approach?
How do I check claims from the JWT token?

Complete deployment here: https://github.com/binc75/istio-jwt

Cheers

Hi

See the Authorization Policy Conditions from here: https://istio.io/docs/reference/config/security/conditions/

To Check the claims: https://jwt.io/

Try this:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: backend
namespace: default
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:

  • from:
    • source:
      requestPrincipals: ["*"]
      when:
    • key: request.auth.claims[preferred_username]
      values: [“service-account-istio”]

https://github.com/binc75/istio-jwt#inspect-jtw-token here is the value.

May be this wil helpful to you.

Hi,
thank you for the hints but actually the JWT in the repo is only an example.
The one I was using it’s correct, it has:
"preferred_username": "testuser2"

Cheers and thank you again :wink:

Hi
:sweat_smile: ok ok.

you should try this one also: deny policy.

  selector:
      matchLabels:
         app: backend
  action: DENY
  rules:
    - when:
         key: request.auth.claims[preferred_username]
         notvalues: [“testuser2”]

may be this time its work.

@binc75 You should remove the part “source: requestPrincipals: [”*"]" because that will allow all end user traffic.

action: ALLOW
 rules:
 - from:
   - when:
      - key: request.auth.claims[preferred_username]
        values: ["testuser2"]

Or if you want to only allow traffic from preferred user “testuser2”, you can use deny policy as @Shubham suggested.

cc @YangminZhu

Shubham,
no luck :frowning:

 # Add a request authentication policy that requires end-user JWT
# if JWT not valid or expired = 401
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: backend
 namespace: default
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
  - issuer: "${KEYCLOAK_URL}/auth/realms/istio"
    jwksUri: "${KEYCLOAK_URL}/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: backend
 namespace: default
spec:
 selector:
   matchLabels:
     app: backend
 action: DENY
 rules:
   - when:
     key: request.auth.claims[preferred_username]
     notvalues: ["testuser2"]

All the requests now gets a 403 Forbidden, with or without “testuser2” in the claim.
Cheers

PS: on the git repo i left a brach with your suggestion named “issue-w-claims” @Shubham

@liminwang your suggestion it’s working!
Now I’m trying to discriminate access through the claim “realm_access.roles” … I’ll let you know if I find a solution.

Right now I’m here but it’s not working:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: backend
 namespace: default
spec:
 selector:
   matchLabels:
     app: backend
 action: ALLOW
 rules:
 - from:
   when:
    - key: request.auth.claims[realm_access][roles]
      values: ["backendaccess"]

Cheers

Hi Binc75

I am also hitting the some sort of related problem .I have some success but not exactly what I wan to do.

Please see it here.

Unfortunately the syntax request.auth.claims[realm_access][roles] is not supported, currently we only support the basic request.auth.claims[some-claim] format.

Feel free to file a feature request for this on github if you think you this is valid use cases for you. Thanks.

1 Like