Istio authentication with Firebase

Jerome · January 24, 2019, 6:10am

I am trying to authenticate requests with Firebase.

First, I configured my application using the example below:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "firebase-auth"
spec:
  targets:
  - name: helloworld
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.0/security/tools/jwt/samples/jwks.json"
  principalBinding: USE_ORIGIN

This works great! Then I updated to the Google Firebase configuration (my project ID is aura-dev)

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "firebase-auth"
spec:
  targets:
  - name: helloworld
  origins:
  - jwt:
      issuer: "https://securetoken.google.com/aura-dev"
      jwksUri: "https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com"
  principalBinding: USE_ORIGIN

Doing so, I am getting the following error message in the Istio proxy:

[helloworld-6747c96bc7-j2vsh istio-proxy] [2019-01-24 06:02:59.729][18][warning][filter] ./src/envoy/http/jwt_auth/pubkey_cache.h:84] Invalid inline jwks for issuer: https://securetoken.google.com/aura-dev, jwks: {
[helloworld-6747c96bc7-j2vsh istio-proxy]   "91fc60858e1c4133c82216d53dd179fa41f8430c": "-----BEGIN CERTIFICAT

It seems it is failing reading the certificate?

rafik8 · January 24, 2019, 11:37am

it seems like Istio proxy is still reading the old jwks from the local cache. Could you please re-deploy the concerned pod to get a fresh cache and retest to confirm that?

apolegoshko · January 24, 2019, 2:14pm

Hi there, I’m getting the same error while trying to configure firebase auth. After installing the issuer and jwksUri, I’m removing the istio-proxy container and container with application, so the ReplicatSet started the new ones. But there is no luck.

rafik8 · January 24, 2019, 3:32pm

Humm, could you please enable trace logging on the concerned proxy?

$ kubectl -n $NAMESPACE exec -it -c istio-proxy $POD_NAME -- curl http://localhost:15000/logging?level=trace

Then retest and post the logs. It may throw more information about the root of the issue.

Jerome · January 24, 2019, 8:13pm

Received an answer on github

This issue is closed as expected behavior: the format of the jwks acceptable for Istio proxy is defined by the standard https://tools.ietf.org/html/rfc7517; the key in the failing config is not of the jwks format in rfc7517.

Jerome · January 24, 2019, 10:09pm

I found the valid file for Firebase for the certificate:

issuer: "https://securetoken.google.com/aura-dev"
jwksUri: "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com"

Rohit · July 11, 2019, 1:17pm

Is it possible to implement Firebase server side cookies and custom claims with Istio ?

Topic		Replies	Views
Istio 1.7 - JWT authentication policy problem Security	8	2281	September 23, 2020
Configuring JWT with requestauthentication does not work in istio 1.5	2	1843	June 23, 2021
Istio JWT authentication does not seem to be working Security	7	5842	January 27, 2021
Firebase Authentication Istio using custom claims	2	727	July 16, 2019
Istio 1.5 AuthorizationPolicy using JWT Security	4	1079	July 28, 2020

Istio authentication with Firebase

Related topics