Istio Authorization using Keycloak

Security
1

I’m trying to authorize my users using their roles. Here is my JWT from Keycloak

{
  "jti": "f9f5af0c-b187-4510-8302-d2d553c3bdee",
  "exp": 1573594538,
  "nbf": 0,
  "iat": 1573558569,
  "iss": "https://kc.krk.wtf/auth/realms/K2",
  "aud": "account",
  "sub": "920fadc1-5a30-4d94-8604-8bd14cea2685",
  "typ": "Bearer",
  "azp": "ufinity",
  "auth_time": 1573558538,
  "session_state": "c5679b6d-fc0e-4536-abc2-3533e6ba8c85",
  "acr": "1",
  "realm_access": {
"roles": [
  "provider",
  "offline_access",
  "uma_authorization"
]
  },
  "resource_access": {
"ufinity": {
  "roles": [
    "provider1"
  ]
},
"account": {
  "roles": [
    "manage-account",
    "manage-account-links",
    "view-profile"
  ]
}
  },
  "scope": "openid email profile",
  "email_verified": false,
  "name": "Kannan2 Provider",
  "preferred_username": "kannan2",
  "given_name": "Kannan2",
  "family_name": "Provider",
  "email": "kannan2@yopmail.com"
}

My Authorization yaml files are as follows:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ClusterRbacConfig
metadata:
  name: default
spec:
  mode: 'ON_WITH_INCLUSION'
  inclusion:
    services:
    - "record.default.svc.cluster.local"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: regular-user
  namespace: default
spec:
  rules:
  - services: 
    - "record" 
    paths: ["/users/*"]
    methods: ["GET"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: regular-user-binding
  namespace: default
spec:
  subjects:
  - user: "*"
  roleRef:
    kind: ServiceRole
    name: "regular-user"
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: provider-role
  namespace: default
spec:
  rules:
  - services: ["*"]
    paths: ["*"]
    methods: ["*"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: provider-role-binding
  namespace: default
spec:
  subjects:
  - properties:
      request.auth.claims[roles]: "provider1"
  roleRef:
    kind: ServiceRole
    name: "provider-role"

I’m always getting 403 forbidden response.

Please let me know what am I doing wrong here. Or please point me to a documentation

Thanks in advance
-Kannan

2

@YangminZhu could you please take a look?

3

@Kannan_K_R
Have you specified any JWT authentication policy on record.default.svc.cluster.local? You need the JWT policy in order to use the request.auth.claims property.

Also you should use the full service name in ServiceRole? Replace record with record.default.svc.cluster.local.

Note, the ClusterRbacConfig, ServiceRole and ServiceRoleBinding are deprecated in favor of the new AuthorizationPolicy in 1.4: https://istio.io/blog/2019/v1beta1-authorization-policy/