JWT with Namespace-wide excluded_paths dons't work

hi, what i’m trying to do, its to exluded a path that resolve to a auth microservices, how in first instance create a JWT that would be use to reach the rest of services, some one can explain why this is not posible, or its necesary to use excluded_paths property to create authentication policy with services scope?

I’m also going to hit this issue as well, I’d love to see ahead of time if this an issue.

To better understand the subject of this post “JWT with Namespace-wide excluded_paths dons’t work”, can you share detailed steps to reproduce this problem?

@Erick_Yataco @jammerful

Would you mind to provide the JWT policy yaml? Thanks.

Here are my yaml file

apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: default
namespace: mynamespaces
spec:
peers:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: authentication-virtualservice
namespace: mynamespaces
spec:
gateways:

  • http-gateway
    hosts:
  • api.mycompany.com
    http:
  • match:
    • uri:
      prefix: /auth/
      rewrite:
      uri: /
      route:
    • destination:
      host: auth-microservice.mycompany.svc.cluster.local
      port:
      number: 3000
      corsPolicy:
      allowOrigin:
      • ‘*’
        allowHeaders:
      • content-type
        allowMethods:
      • POST
      • GET
      • OPTIONS

now i see the rewrite property in my virtualservice, maybe thats the problem?

Yes, that’s possible. The URL rewrite should happen on the client side and the JWT policy is happening on the server side. In other words, the JWT policy sees the request with URI / instead of /auth and then reject it as it doesn’t have JWT token.