I have done istio configuration for JWT security by adding Authentication and Authorization policies. My token gets validated against the JWKS URI successfully and authorization rules restrict the endpoints accordingly.
What I am looking for is, if there is a way to parse the JWT claims after Authentication/Authorization and append them as headers to upstream requests?
Here is the Authentication config to which I am also adding token-data
as header -
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: "jwt-auth"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: "example.com"
jwksUri: "http://my-service-endpoint/.well-known/jwks.json"
outputPayloadToHeader: "token-data"
Authorization Policy config is like -
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: "jwt-auth"
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
rules:
- from:
- source:
requestPrincipals: ["*"]
- to:
- operation:
paths: ["/login", "/.well-known/jwks.json"]
As per the istio discussion I came across a custom CRD named Rule which allows headerOperations manipulation but I am not able to use it because this Custom Resource does not exist.
apiVersion: config.istio.io/v1alpha2
kind: rule
metadata:
name: auth-headers
spec:
request_header_operations:
- name: X-username
values:
- request.auth.claims["username"]
The only CRD’s for Istio I have with default profile are -
kubectl get -n istio-system crd
NAME CREATED AT
authorizationpolicies.security.istio.io 2022-07-10T07:55:01Z
destinationrules.networking.istio.io 2022-07-10T07:55:01Z
envoyfilters.networking.istio.io 2022-07-10T07:55:01Z
gateways.networking.istio.io 2022-07-10T07:55:01Z
istiooperators.install.istio.io 2022-07-10T07:54:37Z
peerauthentications.security.istio.io 2022-07-10T07:55:01Z
proxyconfigs.networking.istio.io 2022-07-10T07:55:01Z
requestauthentications.security.istio.io 2022-07-10T07:55:01Z
serviceentries.networking.istio.io 2022-07-10T07:55:02Z
sidecars.networking.istio.io 2022-07-10T07:55:02Z
telemetries.telemetry.istio.io 2022-07-10T07:55:02Z
virtualservices.networking.istio.io 2022-07-10T07:55:02Z
wasmplugins.extensions.istio.io 2022-07-10T07:55:02Z
workloadentries.networking.istio.io 2022-07-10T07:55:02Z
workloadgroups.networking.istio.io 2022-07-10T07:55:02Z
Also, I am not able to create a Rule CRD.
I would like to understand what I am missing here? Is there any other way to do this?
I verified for global.disablePolicyChecks=true|false
but this property does not exist.