I want to configure a JWT Authentication policy that embeds the JWT verifying public key using “jwks” instead of “jwksUri”.
I used the below - just updated the one that Istio’s Authentication task to change the jwksUrl to jwks. The actual public key is same as what is provided at ‘https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json’. I just put it in jwks format.
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
name: "jwt-auth-istio-embedkey"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "testing@secure.istio.io"
jwks: "eyAia2V5cyI6WyB7ImUiOiJBUUFCIiwia2lkIjoiREhGYnBvSVVxclk4dDJ6cEEycVhmQ21yNVZPNVpFcjRSekhVXy1lbnZ2USIsImt0eSI6IlJTQSIsIm4iOiJ4QUU3ZUI2cXVnWHlDQUczeWhoN3BrRGtUNjVwSHltWC1QN0tmSXVwamY1OXZzZG85MWJTUDlDOEgwN3BTQUdRTzFNVl94Rmo5VnN3Z3NDZzRSNm90bWc1UFYySGU5NWxaZEh0T2NVNURYSWdfcGJoTGRLWGJpNjZHbFZlSzZBQlpPVVczV1l0bk5IRC05MWdWdW9lSlRfRHd0R0djcDRpZ25rZ1hma2lFbTRzdy00c2ZiNHFkdDVvTGJ5VnBtVzZ4OWNmYTd2czJXVGZVUmlDckJvVXFnQm9fLTRXVGlVTG1tSFNHWkhPanp3YThXdHJ0T1FHc0FGaklibm84NWpwNk1uR0dHWlBZWmJEQWFfYjN5NXUtWXBXN3lwWnJ2RDhCZ3RLVmpndFFnWmhMQUdlek10MHVhM0RSclduS3FUWjBCSl9FeXhPR3VISnJMc24wMGZuTVEifV19"
The above jwks content conforms to JWKS format from what I can tell.
However when I attempt to access the /headers using an invalid token as below, it still returns 200.
curl --header "Authorization: Bearer deadbeef" "$INGRESS_HOST:$INGRESS_PORT/headers" -s -o /dev/null -w "%{http_code}\n"
The INGRESS_HOST, INGRESS_PORT are set correctly. If I just change the authentication to refer the public key using jwksUrl then it works as expected. Meaning it will fail with 401 code when presented with an invalid token as above.
Any idea of what might be wrong? Or is there a known problem.