ISTIO JWT caching

Kiran_Yayavaram · July 14, 2022, 7:30pm

hi,

I am trying to configure & test JWT token cache in version info
ISTIO 1.11.6
pilot:1.11.6

Auth.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-edge-service"
  namespace: dev1-edge-service
spec:
  selector:
    matchLabels:
      app: edge-service
  jwtRules:
  - issuer: "Commerce"
    # jwks: |
    jwksUri: "http://tokenservice-dev1.mycompany.com/tokenservice/v1/key/.well-known/jwks.json"
    forwardOriginalToken: true

I have also tried service mesh URL with this config in Auth.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-edge-service"
  namespace: dev1-edge-service
spec:
  selector:
    matchLabels:
      app: edge-service
  jwtRules:
  - issuer: "Commerce"
    # jwks: |
    jwks_uri: "http://tokenservice-dev1.namespace.svc.local/tokenservice/v1/key/.well-known/jwks.json"
    forwardOriginalToken: true

Enabled these two environment variables

istio-proxy@istiod-789bfd9f55-mp9tr:/$ printenv | grep PILOT_JWT
PILOT_JWT_PUB_KEY_REFRESH_INTERVAL=20m0s
PILOT_JWT_ENABLE_REMOTE_JWKS=true

But i am still not seeing JWT caching feature. Can someone please help me to see if i am missing anything.

liminwang · July 17, 2022, 6:38am

What is your expected outcome?

Kiran_Yayavaram · July 17, 2022, 9:07am

Thanks for checking.

As per my understanding (feel free to correct me), with caching enabled with default value of 20min, there shouldn’t be calls to token service for that duration.

liminwang · July 18, 2022, 5:11am

@linggg Can you take a look?

Aryan_Gupta · August 5, 2022, 5:38pm

PILOT_JWT_ENABLE_REMOTE_JWKS=true this flag says that you are gonna fetch the jwt pubkey from envoy, don’t set it and then istiod will save the token in the cache.

Kiran_Yayavaram · August 8, 2022, 7:57pm

thanks for checking & sharing your thoughts.

Reason for adding that Env variable was to try with MESH url instead of proper external DNS. However, with or without that variable i did not see desired caching or reduction in calls to the token service.

Please let me know if i was not clear enough or missed anything in config.

Aryan_Gupta · August 10, 2022, 9:12pm

you mean to say, you are seeing a call to your jwks server before 20min. If this is happening with PILOT_JWT_ENABLE_REMOTE_JWKS=false, then your jwks server is not returning pubKey for the first time and we have a background job which runs when we are not able to fetch pubkey in one call (It makes around 7 more calls to check if it is not a temp error with jwks server). Please check the istiod logs and PILOT_JWT_ENABLE_REMOTE_JWKS=true represents envoy is fetching the jwt token and in that case that PILOT_JWT_PUB_KEY_REFRESH_INTERVAL won’t work as it just specifies interval for istiod.

Topic		Replies	Views
How to get the cached JWT/JWK values?	0	329	November 4, 2022
Istio JWT Token Authorization	5	1475	January 4, 2022
Configuring JWT with requestauthentication does not work in istio 1.5	2	1617	June 23, 2021
JWT Policy does not take affect! Policies and Telemetry	24	5538	February 26, 2020
Istio 1.7 - JWT authentication policy problem Security	8	1942	September 23, 2020

ISTIO JWT caching

Related Topics