JWT-ALB-AuthorizationPolicyIssue

Hi,
I am running istio in EKS cluster, using the ALB to obtain OIDC token. ALB puts the JWT in the header x-amzn-oidc-data. How to configure ISTIO to parse the JWT token in x-amazon-oidc-data, extract the claims , put into heder, so that it can be used in x-amzn-oidc-data.

Below Configuration is not working.Could you please check

apiVersion: “security.istio.io/v1beta1”
kind: “RequestAuthentication”
metadata:
name: “jwt-example-httpbin”
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
jwtRules:

• issuer: “https://trominos.okta.com/oauth2/default”
  jwksUri: “https://trominos.okta.com/oauth2/default/v1/keys”
  forwardOriginalToken: true
  fromHeaders:
  • name: x-amzn-oidc-data
    EOF

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: require-jwt-httpbin
namespace: foo
spec:
selector:
matchLabels:
app: httpbin
action: ALLOW
rules:
- from:
- source:
requestPrincipals: [“https://trominos.okta.com/oauth2/default/*”]
when:
- key: request.auth.claims[groups]
values: [“group”]
EOF

Could you respond, is any way to use the JWT in x-amazon-oidc-data in RequestAuthentication, x-amazon-oidc-data is set by AWS ALB

@YangminZhu @incfly could you take a look as this. user want to parse a specific kind of issuer and token

Also from the values: [“group”] you set a group value.

Could you check whether your token contains such value?