ISTIO JWT caching

hi,

I am trying to configure & test JWT token cache in version info
ISTIO 1.11.6
pilot:1.11.6

Auth.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-edge-service"
  namespace: dev1-edge-service
spec:
  selector:
    matchLabels:
      app: edge-service
  jwtRules:
  - issuer: "Commerce"
    # jwks: |
    jwksUri: "http://tokenservice-dev1.mycompany.com/tokenservice/v1/key/.well-known/jwks.json"
    forwardOriginalToken: true

I have also tried service mesh URL with this config in Auth.yaml

apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-edge-service"
  namespace: dev1-edge-service
spec:
  selector:
    matchLabels:
      app: edge-service
  jwtRules:
  - issuer: "Commerce"
    # jwks: |
    jwks_uri: "http://tokenservice-dev1.namespace.svc.local/tokenservice/v1/key/.well-known/jwks.json"
    forwardOriginalToken: true

Enabled these two environment variables

istio-proxy@istiod-789bfd9f55-mp9tr:/$ printenv | grep PILOT_JWT
PILOT_JWT_PUB_KEY_REFRESH_INTERVAL=20m0s
PILOT_JWT_ENABLE_REMOTE_JWKS=true

But i am still not seeing JWT caching feature. Can someone please help me to see if i am missing anything.

1 Like

What is your expected outcome?

Thanks for checking.

As per my understanding (feel free to correct me), with caching enabled with default value of 20min, there shouldn’t be calls to token service for that duration.

@linggg Can you take a look?

PILOT_JWT_ENABLE_REMOTE_JWKS=true this flag says that you are gonna fetch the jwt pubkey from envoy, don’t set it and then istiod will save the token in the cache.

thanks for checking & sharing your thoughts.

Reason for adding that Env variable was to try with MESH url instead of proper external DNS. However, with or without that variable i did not see desired caching or reduction in calls to the token service.

Please let me know if i was not clear enough or missed anything in config.

you mean to say, you are seeing a call to your jwks server before 20min. If this is happening with PILOT_JWT_ENABLE_REMOTE_JWKS=false, then your jwks server is not returning pubKey for the first time and we have a background job which runs when we are not able to fetch pubkey in one call (It makes around 7 more calls to check if it is not a temp error with jwks server). Please check the istiod logs and PILOT_JWT_ENABLE_REMOTE_JWKS=true represents envoy is fetching the jwt token and in that case that PILOT_JWT_PUB_KEY_REFRESH_INTERVAL won’t work as it just specifies interval for istiod.