Istio JWT Auth - Origin authentication failed

I’m running istio 1.4.x (i think 1.4.3) with the below config.

I am using an AAD app registration.
i am able to generate a JWT from the AAD app registration, but when I add the audiences section (to limit the JWT to only be from my app registration instead of ALL AAD app registrations), it starts throwing the Origin authentication failed error.

Any suggestions?

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
  name: "{{ .Chart.Name }}-{{ .Release.Name }}"
  namespace: {{ .Values.namespace }}
spec:
  targets:
  - name: "{{ .Chart.Name }}-{{ .Release.Name }}"
  peers:
  - mtls:
      mode: PERMISSIVE
  origins:
  - jwt:
      issuer: {{ .Values.policy.jwt.issuer }}
      jwksUri: {{ .Values.policy.jwt.jwksUri }}
      audiences:
      - {{ .Values.policy.jwt.audiences }}
  principalBinding: USE_ORIGIN

Hi @midacts
audiences field is in under jwt not under jwksUri

- jwt:
      issuer: {{ .Values.policy.jwt.issuer }}
      audiences:  
          -  {{ .Values.policy.jwt.audiences }}
      jwksUri: {{ .Values.policy.jwt.jwksUri }}

May be this will help you!

that’s how i have it as well.
i just had it commented out in the original yaml pic.

ill edit it and remove the comments

The error Origin authentication failed is returned by the authentication when it fails to verify the JWT token of the request.

see this related issue. gRPC JWT Authentication silently failing in Istio [workaround]
enable the logging on ingress gateway and check it.
this will help u.

i ran this

kubectl exec $(kubectl get pods -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}') -c istio-proxy -n istio-system -- curl -X POST "localhost:15000/logging?level=debug" -s

then this:

kubectl logs istio-ingressgateway-xxx -n istio-system istio-proxy

i dont really know what im looking for or where to look

Hi
In logs you would find logs related to the this policy.

Still learning.can you give more information of your case. like from where you access your application or proper yaml , targets.name. i will try to help you

logs in the istio-ingressgateway-xxx pod? there is also a istio-policy (and 5+ other pods) in the istio-system namespace.

I’m still learning Istio as well. : )

more info on my use case.
Basically i have a simple flask API.
I want to add authentication in front of the API so not just anyone can access it.

We use Azure AD for authentication today, so i created an Azure AD app registration and setup a client secret.

I am using python to generate the JWT from there like this:

# Import the required modules
from azure.common.credentials import ServicePrincipalCredentials
from azure.graphrbac import GraphRbacManagementClient

# Set your variables
tenant_id = "xxx"
client_id = "xxx"
client_secret = "xxx"

# Generate your SP credentials
credentials = ServicePrincipalCredentials(
    client_id=client_id,
    secret=client_secret,
    resource="https://graph.windows.net",
    tenant = tenant_id
)

# Output your token
credentials.token['access_token']

Then passing that JWT to my application like this:

token=credentials.token['access_token']
curl -H "Authorization: Bearer ${token}" https://my-api.example.com/my-endpoint