From Istio / Security
Request authentication policies can specify more than one JWT if each uses a unique location. When more than one policy matches a workload, Istio combines all rules as if they were specified as a single policy. This behavior is useful to program workloads to accept JWT from different providers. However, requests with more than one valid JWT are not supported because the output principal of such requests is undefined.
Is it intended to be read as “Istio allows multiple tokens but in an OR manner, not validating both”? Not sure I understand why a principal needs to be derived from the token and the documentation doesn’t explain how a service principal is used in executing AuthorizationPolicies, just that it’s used in telemetery. Which particular value is used as principle? Shouldn’t the sub value be the principle? And in that case just take the sub value from the body of the last token listed in the jwtrules. RequestAuthorization seems very narrow in it’s implementation when all I really need is a way to validate that the JWT was not tampered.
My use case is, I need to send two JWT access tokens to a service and I need them both validated. The reason i need two tokens is that I need additional claims provided from an internal API which provides additional RBAC rules and identity impersonation which my Identity Provider can’t fetch. If this can’t be done then I need to add additional token processing in the service.