JWT tokens propagation between multiple clusters

y0zg · May 14, 2020, 12:27pm

I have 2 k8s clusters with istio 1.5 authentication and jwt token enabled.

Authentication works with JWT tokens custom headers x-jwt-cluster1/x-jwt-cluster2.

I need to make an external call to app1 in cluster1,
then app1 should call app2 in cluster2.

But when I use in single call 2 jwt tokens with headers x-jwt-cluster1 and x-jwt-cluster2 and I call app1 (cluster1) which then has to call -> app2 (cluster2) I get 500/403 RBAC permission denied error

Please suggest how it’s possible to deal with this case. I know it’s possible to use EnvoyFilter to propagate headers between services, but I’d prefer to step on something more istio-like/standard solution

Also an option with using forwardOriginalToken didn’t work

RequestAuthentication:

 jwtRules:
    - fromHeaders:
      - name: x-jwt-cluster1
      issuer: dev@example.com
      jwks: MYPARAMS
      jwtHeaders:
      - x-jwt-cluster1
    selector:
      matchLabels:
        app: my-app

Topic		Replies	Views
How to handle authentication between 2 clusters security	0	457	May 13, 2020
Istio (1.6.2) : RBAC Access Denied for Valid JWT Token Security security	16	3483	July 29, 2020
Passing Authorization headers automatically (JWT) between microservices Security	10	9232	March 30, 2023
Can Istio Security Peer Authentication & JWT Authentication Used in Parallel Security	8	1754	July 28, 2020
Istio 1.7 - Setup for JWT Auth Security	1	545	September 1, 2020

JWT tokens propagation between multiple clusters

Related topics