Istio 1.7 - JWT authentication policy problem

I want to configure a JWT Authentication policy that embeds the JWT verifying public key using “jwks” instead of “jwksUri”.
I used the below - just updated the one that Istio’s Authentication task to change the jwksUrl to jwks. The actual public key is same as what is provided at ‘https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json’. I just put it in jwks format.

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-auth-istio-embedkey"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
    - issuer: "testing@secure.istio.io"
      jwks: "eyAia2V5cyI6WyB7ImUiOiJBUUFCIiwia2lkIjoiREhGYnBvSVVxclk4dDJ6cEEycVhmQ21yNVZPNVpFcjRSekhVXy1lbnZ2USIsImt0eSI6IlJTQSIsIm4iOiJ4QUU3ZUI2cXVnWHlDQUczeWhoN3BrRGtUNjVwSHltWC1QN0tmSXVwamY1OXZzZG85MWJTUDlDOEgwN3BTQUdRTzFNVl94Rmo5VnN3Z3NDZzRSNm90bWc1UFYySGU5NWxaZEh0T2NVNURYSWdfcGJoTGRLWGJpNjZHbFZlSzZBQlpPVVczV1l0bk5IRC05MWdWdW9lSlRfRHd0R0djcDRpZ25rZ1hma2lFbTRzdy00c2ZiNHFkdDVvTGJ5VnBtVzZ4OWNmYTd2czJXVGZVUmlDckJvVXFnQm9fLTRXVGlVTG1tSFNHWkhPanp3YThXdHJ0T1FHc0FGaklibm84NWpwNk1uR0dHWlBZWmJEQWFfYjN5NXUtWXBXN3lwWnJ2RDhCZ3RLVmpndFFnWmhMQUdlek10MHVhM0RSclduS3FUWjBCSl9FeXhPR3VISnJMc24wMGZuTVEifV19"

The above jwks content conforms to JWKS format from what I can tell.

However when I attempt to access the /headers using an invalid token as below, it still returns 200.

curl --header "Authorization: Bearer deadbeef" "$INGRESS_HOST:$INGRESS_PORT/headers" -s -o /dev/null -w "%{http_code}\n"

The INGRESS_HOST, INGRESS_PORT are set correctly. If I just change the authentication to refer the public key using jwksUrl then it works as expected. Meaning it will fail with 401 code when presented with an invalid token as above.

Any idea of what might be wrong? Or is there a known problem.

1 Like

I forgot to mention that I am testing this with minikube.

My question: Are authentication policies with public keys in JWKS format supported? I tried this in Azure cluster as well but see same results.

Any help will appreciate or I should just forget that and always specify keys using jwksUrl?

K

have you try to remove the selector expose this requestauthentication not only to ingressgateway

also i think on the example the jwtRules use the jwksUri as (https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json)

it is a json type different from what you set

  1. I kept the jwks form of key reference in the policy (in my original post) and removed the selector to not limit the requestauthentication to ingressgateway.
    Result: No change in behavior. It still returns 200 when accessed using an invalid JWT token.

  2. The jwks content in my policy is actually identical to the jwks.json you referred above. Mine is base64 encoded form of it. Without that it is impossible to specify above json since it has many double quotes (") in it and from what I know all values are supposed to be strings. If there is a different way to encode the above json (inside jwks) can you please share the complete policy that I can try?

thx

@YangminZhu @incfly could you take a look at this? Is this a potential bug?

I am facing the same issue. Using Istio v1.7.0

@KyleB @senthilrch You should include the same jwks.json content in the jwks field (do not base64 it), this is supported in yaml by using the | syntax, see example below

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwks: |
      { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}
1 Like

@YangminZhu, thanks for the response. will check it out.

  • Senthil.