Local JWKS HTTP service


I am having an issue with getting an authorization policy to work when it uses a JWKS served by an HTTP service in the mesh.

I set up a HTTP server in a service named jwws. I am able to reach it through the ingress using a virtual service that specifies

    - destination:
        host: jwks.default.svc.cluster.local
          number: 80

In my authorization policy if I specify
jwksUri: "http://jwks.default.svc.cluster.local/api-gateway.json"
requests get a 401 status returned.

If I change the URL to one external to the mesh, requests get a normal response. The content is the same in both the internal and external JWKS. Why would the internal address not be working?


Could you share your authorization, routing and deployment configuration?


It’s the pilot to fetch the public key from the jwksUri, so make sure your jwks.default.svc.cluster.local is accessible from pilot.