Local JWKS HTTP service

#1

I am having an issue with getting an authorization policy to work when it uses a JWKS served by an HTTP service in the mesh.

I set up a HTTP server in a service named jwws. I am able to reach it through the ingress using a virtual service that specifies

    route:
    - destination:
        host: jwks.default.svc.cluster.local
        port:
          number: 80

In my authorization policy if I specify
jwksUri: "http://jwks.default.svc.cluster.local/api-gateway.json"
requests get a 401 status returned.

If I change the URL to one external to the mesh, requests get a normal response. The content is the same in both the internal and external JWKS. Why would the internal address not be working?

#2

Could you share your authorization, routing and deployment configuration?

#3

It’s the pilot to fetch the public key from the jwksUri, so make sure your jwks.default.svc.cluster.local is accessible from pilot.