Istio 1.5 JWT claim in AuthorizationPolicy

binc75 · March 31, 2020, 1:19pm

Hi,
I’m trying to allow access to an app only if you present a valid JWT token with a specific claim (request.auth.claims[preferred_username]).

Everything work but the conditional check: if the token is not provided I get a 403, if it’s expired i get a 401 … I would expect that if the JTW field is not preferred_username: “testuser2” I should get a 403 but actually I get a 200.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: backend
 namespace: default
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
  - issuer: "${KEYCLOAK_URL}/auth/realms/istio"
    jwksUri: "${KEYCLOAK_URL}/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: backend
 namespace: default
spec:
 selector:
   matchLabels:
     app: backend
 action: ALLOW
 rules:
 - from:
   - source:
       requestPrincipals: ["*"]
   when:
    - key: request.auth.claims[preferred_username]
      values: ["testuser2"]

It looks like the part when is ignored.

What am I missing? Is this the right approach?
How do I check claims from the JWT token?

Complete deployment here: https://github.com/binc75/istio-jwt

Cheers

Shubham · April 2, 2020, 4:59am

Hi

See the Authorization Policy Conditions from here: https://istio.io/docs/reference/config/security/conditions/

To Check the claims: https://jwt.io/

Try this:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: backend
namespace: default
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:

from:
- source:
  requestPrincipals: ["*"]
  when:
- key: request.auth.claims[preferred_username]
  values: [“service-account-istio”]

https://github.com/binc75/istio-jwt#inspect-jtw-token here is the value.

May be this wil helpful to you.

binc75 · April 2, 2020, 8:04am

Hi,
thank you for the hints but actually the JWT in the repo is only an example.
The one I was using it’s correct, it has:
"preferred_username": "testuser2"

Cheers and thank you again

Shubham · April 2, 2020, 8:27am

Hi
ok ok.

you should try this one also: deny policy.

  selector:
      matchLabels:
         app: backend
  action: DENY
  rules:
    - when:
         key: request.auth.claims[preferred_username]
         notvalues: [“testuser2”]

may be this time its work.

liminwang · April 4, 2020, 12:14am

@binc75 You should remove the part “source: requestPrincipals: [”*"]" because that will allow all end user traffic.

action: ALLOW
 rules:
 - from:
   - when:
      - key: request.auth.claims[preferred_username]
        values: ["testuser2"]

Or if you want to only allow traffic from preferred user “testuser2”, you can use deny policy as @Shubham suggested.

cc @YangminZhu

binc75 · April 4, 2020, 3:48pm

Shubham,
no luck

 # Add a request authentication policy that requires end-user JWT
# if JWT not valid or expired = 401
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
 name: backend
 namespace: default
spec:
  selector:
    matchLabels:
      app: backend
  jwtRules:
  - issuer: "${KEYCLOAK_URL}/auth/realms/istio"
    jwksUri: "${KEYCLOAK_URL}/auth/realms/istio/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: backend
 namespace: default
spec:
 selector:
   matchLabels:
     app: backend
 action: DENY
 rules:
   - when:
     key: request.auth.claims[preferred_username]
     notvalues: ["testuser2"]

All the requests now gets a 403 Forbidden, with or without “testuser2” in the claim.
Cheers

PS: on the git repo i left a brach with your suggestion named “issue-w-claims” @Shubham

binc75 · April 4, 2020, 4:12pm

@liminwang your suggestion it’s working!
Now I’m trying to discriminate access through the claim “realm_access.roles” … I’ll let you know if I find a solution.

Right now I’m here but it’s not working:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
 name: backend
 namespace: default
spec:
 selector:
   matchLabels:
     app: backend
 action: ALLOW
 rules:
 - from:
   when:
    - key: request.auth.claims[realm_access][roles]
      values: ["backendaccess"]

Cheers

shrishs · April 6, 2020, 3:02pm

Hi Binc75

I am also hitting the some sort of related problem .I have some success but not exactly what I wan to do.

Please see it here.

YangminZhu · April 16, 2020, 3:45am

Unfortunately the syntax request.auth.claims[realm_access][roles] is not supported, currently we only support the basic request.auth.claims[some-claim] format.

Feel free to file a feature request for this on github if you think you this is valid use cases for you. Thanks.

Topic		Replies	Views
JWT claims validation Security	5	749	May 24, 2019
Is there a way in Istio authorization policy condition evaluation to verify scope of OAUTH JWT token Security security	3	395	September 19, 2023
Istio AuthorizationPolicy configuration issue: JWT authentication not working within specified namespace Security security	0	378	June 12, 2023
Does Authorization Policy Conditions support object array value for request.auth.claims? Security	1	1058	August 11, 2020
Istio 1.5.4 Having a general AuthorizationPolicy and one specific by service Policies and Telemetry	4	1261	October 12, 2020

Istio 1.5 JWT claim in AuthorizationPolicy

Related topics