We are working on the roadmap for UX in Istio 1.5.
Reply with your most-desired usability feature, or worst design failure.
I would really like to see an improvement in handling JSON Web Tokens across services.
As of now, the docs describe how to set an authentication policy that denies access to a configured service without a valid JSON Web Token:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
...
spec:
targets:
- name: <service-name>
peers:
- mtls: {}
origins:
- jwt:
issuer: <issuer-value>
jwksUri: <jwks-uri-value>
principalBinding: USE_ORIGIN
Istio also allows setting request headers from JWT claims based on the ORIGIN principal.
However, what is not mentioned anywhere is how to handle origin authentication across multiple services.
Take a small microservice architecture for example with the following chained HTTP request flow:
- Ingress Gateway
- Service A
- Service B
Both service A and service B must know the identity of the user to fulfill their functionality.
In this case, the HTTP request from the ingress gateway to service A includes the JSON Web Token as the principal of the request. Therefore, service A can see the identity of the user who made the initial call. However, when service A makes a chained request to service B to delegate some functionality, this call uses the peer principal of service A. This means that service B does not have access to the user identity of the initial call and can not fulfill its functionality.
I would really appreciate it if the docs would mention how to set up this use case so that service A as well as service B have access to the JSON Web Token or atleast its user identity information and its claims.