JWT Authorizationi Failing

I have set up authorization to work with JWT. I am sending a request that looks like it should pass authorization, but it fails.

Here is the request:
curl -v hostnameHidden/httpbin/v1/anything -H ‘Host:authorization-test.wawa.com’ -H ‘x-jwt:jwtHidden’
* About to connect() to hostnameHidden port 80 (#0)
* Connected to hostnameHidden port 80 (#0)
> GET /httpbin/v1/anything HTTP/1.1
> Host:authorization-test.wawa.com
> x-jwt:jwtHidden
>
< HTTP/1.1 403 Forbidden
< content-length: 19
< content-type: text/plain
< date: Wed, 12 Jun 2019 18:15:22 GMT
< server: istio-envoy
< x-envoy-upstream-service-time: 0
<
* Connection #0 to host hostnameHidden left intact
RBAC: access denied

The JWT payload is (being new here I had to insert a space into the iss field so that the forum would not be complaining about me posting too many links)
{
“iss”: “https:/ /dev-eu2ne9zx.auth0.com/”,
“sub”: “EWlSieOaraRPeqxq87NhbEH4ceORzP0f@clients”,
“aud”: “WawaApiPlatform”,
“iat”: 1560284642,
“exp”: 1560371042,
“azp”: “EWlSieOaraRPeqxq87NhbEH4ceORzP0f”,
“scope”: “testdata:read”,
“gty”: “client-credentials”
}

Here is the service role binding that this is matching:
apiVersion: “rbac.istio.io/v1alpha1”
kind: ServiceRoleBinding
metadata:
name: test-reader-binding
namespace: authorization-test
spec:
subjects:
- properties:
request.auth.claims[scope]: “testdata:read”
roleRef:
kind: ServiceRole
name: “test-reader”

Here is the service role (being a new user I had to insert a space into the apiVersion so the forum would not complain I am postin too many links):
apiVersion: “rbac.istio .io/v1alpha1”
kind: ServiceRole
metadata:
name: test-reader
namespace: authorization-test
spec:
rules:
- services: [“httpbin.authorization-test.svc.cluster.local”]
methods: [“GET”]

Here are log records that to me look like it is matching:
|2019-06-12T17:46:16.894559Z|debug|rbac|building http filter config for {httpbin.authorization-test.svc.cluster.local map[pod-template-hash:5fc7cf895d version:v1 app:httpbin] map[destination.name:httpbin destination.namespace:authorization-test destination.user:default]}|
|—|---|—|---|
|2019-06-12T17:46:16.894570Z|debug|rbac|checking role test-reader|
|2019-06-12T17:46:16.894575Z|debug|rbac|rules[0] matched|
|2019-06-12T17:46:16.894655Z|debug|rbac|generated http filter config: {policies:<key:“test-reader” value:<permissions:<and_rules:<rules:<or_rules:<rules:<header:<name:":method" exact_match:“GET” > > > > > > principals:<and_ids:<ids:<metadata:<filter:“istio_authn” path:<key:“request.auth.claims” > path:<key:“scope” > value:<list_match:<one_of:<string_match:<exact:“testdata:read” > > > > > > > > > > {} 0}|
|2019-06-12T17:46:16.895130Z|info|rbac|built http filter config for httpbin.authorization-test.svc.cluster.local|

Hi, Did the log at the bottom of your message come from the istio-proxy associated with your service or from another container?

I am trying to debug my own gRPC authentication and am having issue finding out where to start.

Thanks

Could you also post your authentication policy? (it should have principalBinding: USE_ORIGIN).

Also could you put the jwt token like this: --header "Authorization: Bearer $TOKEN"?

Last, I see you have attached the pilot log, it would be more helpful to also attach the proxy log, see https://istio.io/help/ops/security/debugging-authorization/#ensure-proxies-enforce-policies-correctly

The log attached is actually from pilot, you can also follow this https://istio.io/help/ops/security/debugging-authorization/#ensure-proxies-enforce-policies-correctly to enable debug logging on proxy, note it enables for the RBAC logger in proxy, you may change it to other logger.

Here is the authentication policy:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "authorization-test-authentication"
spec:
targets:
- name: httpbin
peers:
- mtls: {}
origins:
- jwt:
issuer: "https://dev-eu2ne9zx.auth0.com/"
jwksUri: "https://dev-eu2ne9zx.auth0.com/.well-known/jwks.json"
jwt_headers:
- x-jwt
audiences:
- WawaApiPlatform
principalBinding: USE_ORIGIN

The request is putting the JWT in a header named x-jwt and the authentication policy is looking for the same. I will use $SUBSTITUTION in future posts.

I am having a possibly related issue with trying to get the proxy logs. The documentation begins by asking me to issue the command:
kubectl exec $(kubectl get pods -l app=productpage -o jsonpath='{.items[0].metadata.name}') -c istio-proxy -- curl -X POST localhost:15000/logging?rbac=debug -s
This fails:
kubectl get pods -l app=productpage -o jsonpath='{.items[0].metadata.name}'
Error executing template: array index out of bounds: index 0, length 0. Printing more information for debugging the template:
template was:
'{.items[0].metadata.name}'
object given to jsonpath engine was:
map[string]interface {}{"apiVersion":"v1", "metadata":map[string]interface {}{"selfLink":"", "resourceVersion":""}, "items":[]interface {}{}, "kind":"List"}

error: error executing jsonpath "'{.items[0].metadata.name}'": array index out of bounds: index 0, length 0

The command failed in your case because it’s for the bookinfo DEMO application (this has nothing to do with JWT here), Note the -l app=productpage in the command, you need to replace it with the label of your application.