JWT authorization with custom SSL certificate

schwicht · April 27, 2021, 7:37am

Hi,
in our recent cluster setup we have several backend services that authenticate end users with a JWT. Currently, our backend services verify the JWT itself using a library. In the future, we want to use Istios JWT authentication/authorization described here: Istio / JWT Token. I have setup the Istio configuration for the JWT authorization. Now, the JWT verification fails and I see the following message in the sidecar logs:

jwt_authn_access_denied{Jwks_doesn’t_have_key_to_match_kid_or_alg_from_Jwt}

The URL of the JWKS endpoint of our authorization server is correct. I believe the sidecar cannot access the JWKS endpoint of our authorization server because we are using a self-signed SSL certificate in our development environment that the sidecar is not aware of. My question is if and how I can configure the custom SSL certificate on the sidecar.

Best,
Simon

shankgan · April 30, 2021, 4:49pm

One (hard) way to do this would be by installing a DestinationRule for the JWKS server in mind and loading the self-signed Root (using kubernetes volume) into the proxy container. Refer to ClientTLSSettings Istio / Destination Rule

Topic		Replies	Views
Istio JWT verification against JWKS with internally signed certificate Security	7	3832	November 9, 2020
Local JWKS HTTP service	11	3963	July 21, 2019
Istio 1.7 - JWT authentication policy problem Security	8	2283	September 23, 2020
mTLS + JWT authentication Security	1	3241	July 10, 2020
RequestAuthentication: Inexplicably solve error "Jwks doesn't have key to match kid or alg from Jwt"	2	10199	May 18, 2023

JWT authorization with custom SSL certificate

Related topics