Istio 1.7 - JWT authentication policy problem

KyleB · September 4, 2020, 8:28pm

I want to configure a JWT Authentication policy that embeds the JWT verifying public key using “jwks” instead of “jwksUri”.
I used the below - just updated the one that Istio’s Authentication task to change the jwksUrl to jwks. The actual public key is same as what is provided at ‘https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json’. I just put it in jwks format.

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-auth-istio-embedkey"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
    - issuer: "testing@secure.istio.io"
      jwks: "eyAia2V5cyI6WyB7ImUiOiJBUUFCIiwia2lkIjoiREhGYnBvSVVxclk4dDJ6cEEycVhmQ21yNVZPNVpFcjRSekhVXy1lbnZ2USIsImt0eSI6IlJTQSIsIm4iOiJ4QUU3ZUI2cXVnWHlDQUczeWhoN3BrRGtUNjVwSHltWC1QN0tmSXVwamY1OXZzZG85MWJTUDlDOEgwN3BTQUdRTzFNVl94Rmo5VnN3Z3NDZzRSNm90bWc1UFYySGU5NWxaZEh0T2NVNURYSWdfcGJoTGRLWGJpNjZHbFZlSzZBQlpPVVczV1l0bk5IRC05MWdWdW9lSlRfRHd0R0djcDRpZ25rZ1hma2lFbTRzdy00c2ZiNHFkdDVvTGJ5VnBtVzZ4OWNmYTd2czJXVGZVUmlDckJvVXFnQm9fLTRXVGlVTG1tSFNHWkhPanp3YThXdHJ0T1FHc0FGaklibm84NWpwNk1uR0dHWlBZWmJEQWFfYjN5NXUtWXBXN3lwWnJ2RDhCZ3RLVmpndFFnWmhMQUdlek10MHVhM0RSclduS3FUWjBCSl9FeXhPR3VISnJMc24wMGZuTVEifV19"

The above jwks content conforms to JWKS format from what I can tell.

However when I attempt to access the /headers using an invalid token as below, it still returns 200.

curl --header "Authorization: Bearer deadbeef" "$INGRESS_HOST:$INGRESS_PORT/headers" -s -o /dev/null -w "%{http_code}\n"

The INGRESS_HOST, INGRESS_PORT are set correctly. If I just change the authentication to refer the public key using jwksUrl then it works as expected. Meaning it will fail with 401 code when presented with an invalid token as above.

Any idea of what might be wrong? Or is there a known problem.

KyleB · September 8, 2020, 6:34pm

I forgot to mention that I am testing this with minikube.

My question: Are authentication policies with public keys in JWKS format supported? I tried this in Azure cluster as well but see same results.

Any help will appreciate or I should just forget that and always specify keys using jwksUrl?

K

William_Li · September 9, 2020, 1:57am

have you try to remove the selector expose this requestauthentication not only to ingressgateway

William_Li · September 9, 2020, 2:12am

also i think on the example the jwtRules use the jwksUri as (https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json)

it is a json type different from what you set

KyleB · September 9, 2020, 5:05pm

I kept the jwks form of key reference in the policy (in my original post) and removed the selector to not limit the requestauthentication to ingressgateway.
Result: No change in behavior. It still returns 200 when accessed using an invalid JWT token.
The jwks content in my policy is actually identical to the jwks.json you referred above. Mine is base64 encoded form of it. Without that it is impossible to specify above json since it has many double quotes (") in it and from what I know all values are supposed to be strings. If there is a different way to encode the above json (inside jwks) can you please share the complete policy that I can try?

thx

William_Li · September 9, 2020, 9:19pm

@YangminZhu @incfly could you take a look at this? Is this a potential bug?

senthilrch · September 21, 2020, 7:17am

I am facing the same issue. Using Istio v1.7.0

YangminZhu · September 23, 2020, 12:13am

@KyleB @senthilrch You should include the same jwks.json content in the jwks field (do not base64 it), this is supported in yaml by using the | syntax, see example below

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwks: |
      { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}

senthilrch · September 23, 2020, 9:04am

@YangminZhu, thanks for the response. will check it out.

Senthil.

Topic		Replies	Views
Istio set token claims as header to upstream Security security	1	1542	July 11, 2022
Configuring JWT with requestauthentication does not work in istio 1.5	2	1816	June 23, 2021
Istio JWT authentication does not seem to be working Security	7	5739	January 27, 2021
Istio 1.3.3 Failed to fetch public key from "https://url/jwks.json": Get https://xxx/jwks.json: x509: certificate signed by unknown authority Policies and Telemetry security	1	858	August 5, 2020
Jwt Authentication for a specific service results in "upstream connect error or disconnect/reset before headers" Security	8	3308	June 19, 2019

Istio 1.7 - JWT authentication policy problem

Related topics