Istio authentication with Firebase


#1

I am trying to authenticate requests with Firebase.

First, I configured my application using the example below:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "firebase-auth"
spec:
  targets:
  - name: helloworld
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json"
  principalBinding: USE_ORIGIN

This works great! Then I updated to the Google Firebase configuration (my project ID is aura-dev)

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "firebase-auth"
spec:
  targets:
  - name: helloworld
  origins:
  - jwt:
      issuer: "https://securetoken.google.com/aura-dev"
      jwksUri: "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
  principalBinding: USE_ORIGIN

Doing so, I am getting the following error message in the Istio proxy:

[helloworld-6747c96bc7-j2vsh istio-proxy] [2019-01-24 06:02:59.729][18][warning][filter] ./src/envoy/http/jwt_auth/pubkey_cache.h:84] Invalid inline jwks for issuer: https://securetoken.google.com/aura-dev, jwks: {
[helloworld-6747c96bc7-j2vsh istio-proxy]   "91fc60858e1c4133c82216d53dd179fa41f8430c": "-----BEGIN CERTIFICAT

It seems it is failing reading the certificate?


#2

it seems like Istio proxy is still reading the old jwks from the local cache. Could you please re-deploy the concerned pod to get a fresh cache and retest to confirm that?


#3

Hi there, I’m getting the same error while trying to configure firebase auth. After installing the issuer and jwksUri, I’m removing the istio-proxy container and container with application, so the ReplicatSet started the new ones. But there is no luck.


#4

Humm, could you please enable trace logging on the concerned proxy?

$ kubectl -n $NAMESPACE exec -it -c istio-proxy $POD_NAME -- curl http://localhost:15000/logging?level=trace

Then retest and post the logs. It may throw more information about the root of the issue.


#5

Received an answer on github

This issue is closed as expected behavior: the format of the jwks acceptable for Istio proxy is defined by the standard https://tools.ietf.org/html/rfc7517; the key in the failing config is not of the jwks format in rfc7517.


#6

I found the valid file for Firebase for the certificate:

issuer: "https://securetoken.google.com/aura-dev"
jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"