Istio JWT Token Authorization

Istio come with out of the box ability to validate the JWT tokens that comes inside a client request header. And we were able to sucessfully use the RequestAuthentication policy.

  1. Validate the JWT token inside the request header
  2. Forward request with valid JWT to application code
  3. Deny traffic with invalid JWT

My query was if we can cache the JWT tokens at the ingress gateway for improved performance. Can you provide some pointers on how this can be done.

Can you clarify a little bit what exactly you want to cache? The process of validating a JWT token? And what is the cache key for your use case?

@YangminZhu We are trying to cache the JWT tokens at the istio ingress gateway. If the token is valid, we want to cache these tokens so that the subsequent requests passing through the gateway are faster and will give better performance. The token once expired needs to be refreshed. My question was ,is this automatically handled by the Istio Ingress gateway or we need special handling. How do we handle the token refresh workflow?

Is this possible or should we be using some other ingress

Did anyone find a solution for this?

the Envoy JWT filter has now supported caching the JWT token validation in Add Jwt cache. by mk46 · Pull Request #14341 · envoyproxy/envoy · GitHub. We could evaluation and enable it in Istio by default if it’s stable and reliable enough for production usage.

cc @mathaj