OriginAuthenticationMethod

Hi,

Using Istio 1.2… I see in 1.5 envoy can be setup to read the JWT token and inspect/match the value of a claim. Is this possible in Istio 1.2?
AuthorizationPolicy eaxmple here (step 8) https://istio.io/docs/tasks/security/authorization/authz-jwt/ is what I am looking to do. I have a SSO token coming in the request and want to limit access based on role defined in the JWT.

Thanks!

Hi @pete

AFAIK you can limit the access but the procedure is different as you are using istio1.2

See this https://archive.istio.io/v1.2/docs/tasks/security/rbac-groups/

May this help you.

Thanks, it has helped… I find that I am at the same issue as (gRPC JWT Authentication silently failing in Istio [workaround] - #5 by KarlMutch). But I cannot seem to authenticate the JWT. I get the following allow_missing_or_failed set to true and the JWT is not really being validated.

[2020-05-28 13:24:51.357][26][debug][filter] [src/envoy/http/mixer/filter.cc:154] Called Mixer::Filter : setDecoderFilterCallbacks
[2020-05-28 13:24:51.358][26][debug][filter] [src/envoy/http/jwt_auth/jwt_authenticator.cc:82] Jwt authentication starts
[2020-05-28 13:24:51.358][26][debug][filter] [src/envoy/http/jwt_auth/jwt_authenticator.cc:243] Jwt authentication completed with: OK
[2020-05-28 13:24:51.358][26][debug][filter] [src/envoy/http/jwt_auth/jwt_authenticator.cc:246] The value of allow_missing_or_failed in AuthFilterConfig is: true
[2020-05-28 13:24:51.358][26][debug][filter] [src/envoy/http/jwt_auth/http_filter.cc:61] JwtVerificationFilter::onDone with status OK
[2020-05-28 13:24:51.358][26][debug][filter] [src/envoy/http/authn/filter_context.cc:81] No dynamic_metadata found for filter jwt-auth
[2020-05-28 13:24:51.358][26][debug][filter] [src/envoy/http/authn/origin_authenticator.cc:85] Origin authenticator failed

@YangminZhu can you help in this.

Here is my policy and logs. Also I have tested within the envoy sidecar that it can curl to the issuer and jwksUri, though I did us curl -k (insecure) and the side car can get valid responses from the keycloak server. Below is showing that I don’t think I even have the JWT setup correctly, ultimately I want to use Istio 1.2 RBAC to check claims in the JWT. But I am failing at the first step…

My Policy:

kind: Policy
metadata:
name: my-authn-policy
namespace: pj-test
spec:
targets:

• name: userservice
  origins:
• jwt:
  issuer: “https://foo.bar/auth/realms/TEST/”
  jwksUri: “https://foo.bar/auth/realms/TEST/protocol/openid-connect/certs”
  trigger_rules:
  • excluded_paths:
    • exact: /health
    • exact: /healthz/ready
    • prefix: /grpc.reflection.v1alpha.ServerReflection/
  • included_paths:
    • prefix: /users/
      originIsOptional: false
      principalBinding: USE_ORIGIN

My Test Case:

curl -v -X GET -ik -H @authN-headers.txt https://userservice-pj-test.apps.com/users/v1/smith

HTTP/1.1 401 Unauthorized
content-length: 29
content-type: text/plain
date: Tue, 02 Jun 2020 19:28:51 GMT
server: istio-envoy
x-envoy-decorator-operation: userservice.pj-test.svc.cluster.local:8080/*
Set-Cookie: 95f907172b625a7ea52c6b6f91381f9d=603b167cbcb452d66f3b0bd33bf819fb; path=/; HttpOnly; Secure

Origin authentication failed.

LOGS for Envoy Container/Sidecar

[2020-06-02 18:59:42.256][28][debug][filter] [external/envoy/source/extensions/filters/listener/original_dst/original_dst.cc:18] original_dst: New connection accepted
[2020-06-02 18:59:42.257][28][debug][filter] [src/envoy/http/mixer/filter.cc:47] Called Mixer::Filter : Filter
[2020-06-02 18:59:42.257][28][debug][filter] [src/envoy/http/mixer/filter.cc:154] Called Mixer::Filter : setDecoderFilterCallbacks
[2020-06-02 18:59:42.257][28][debug][filter] [src/envoy/http/jwt_auth/jwt_authenticator.cc:82] Jwt authentication starts
[2020-06-02 18:59:42.257][28][debug][filter] [src/envoy/http/jwt_auth/jwt_authenticator.cc:243] Jwt authentication completed with: OK
[2020-06-02 18:59:42.257][28][debug][filter] [src/envoy/http/jwt_auth/jwt_authenticator.cc:246] The value of allow_missing_or_failed in AuthFilterConfig is: true
[2020-06-02 18:59:42.257][28][debug][filter] [src/envoy/http/jwt_auth/http_filter.cc:61] JwtVerificationFilter::onDone with status OK
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/authn/http_filter.cc:54] AuthenticationFilter::decodeHeaders with config
policy {
origins {
jwt {
issuer: “https://foo.bar/auth/realms/FOO/”
jwks_uri: “https://foo.bar/auth/realms/FOO/protocol/openid-connect/certs”
trigger_rules {
excluded_paths {
exact: “/health”
}
excluded_paths {
exact: “/healthz/ready”
}
excluded_paths {
prefix: “/grpc.reflection.v1alpha.ServerReflection/”
}
}
trigger_rules {
included_paths {
prefix: “/users/”
}
}
}
}
principal_binding: USE_ORIGIN
}
jwt_output_payload_locations {
key: “https://foo.bar/auth/realms/FOO/”
value: “istio-sec-be2eafa87c7d323a2fbbad687dad18e5f37c4d7f”
}

[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/authn/peer_authenticator.cc:36] No method defined. Skip source authentication.
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/authn/origin_authenticator.cc:52] Got request path /users/v1/smith
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/authn/origin_authenticator.cc:66] Validating request path /users/v1/smith for jwt issuer: “https://foo.bar/auth/realms/FOO/”
jwks_uri: “https://foo.bar/auth/realms/FOO/protocol/openid-connect/certs”
trigger_rules {
excluded_paths {
exact: “/health”
}
excluded_paths {
exact: “/healthz/ready”
}
excluded_paths {
prefix: “/grpc.reflection.v1alpha.ServerReflection/”
}
}
trigger_rules {
included_paths {
prefix: “/users/”
}
}

[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/authn/filter_context.cc:81] No dynamic_metadata found for filter jwt-auth
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/authn/origin_authenticator.cc:85] Origin authenticator failed
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/mixer/filter.cc:141] Called Mixer::Filter : encodeHeaders 0
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/authn/http_filter.cc:48] Called AuthenticationFilter : onDestroy
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/mixer/filter.cc:214] Called Mixer::Filter : onDestroy state: 0
[2020-06-02 18:59:42.258][28][debug][filter] [src/envoy/http/mixer/filter.cc:228] Called Mixer::Filter : log
[2020-06-02 18:59:42.258][28][debug][filter] [./src/envoy/http/mixer/report_data.h:144] No dynamic_metadata found for filter envoy.filters.http.rbac
[2020-06-02 18:59:42.259][28][debug][filter] [src/istio/control/client_context_base.cc:140] Report attributes: attributes {
key: “connection.mtls”
value {
bool_value: false
}
}
attributes {
key: “context.protocol”
value {
string_value: “http”
}
}
attributes {
key: "context.prox
[2020-06-02 18:59:43.257][28][debug][filter] [./src/envoy/utils/header_update.h:46] Mixer forward attributes set: CjcKCnNvdXJjZS51aWQSKRIna3ViZXJuZXRlczovL3VzZXJzZXJ2aWNlLTItOHBiNGYucGotYW1l
[2020-06-02T18:59:42.257Z] “GET /users/v1/smith HTTP/1.1” 401 - “-” “-” 0 29 1 - “10.24.1.1” “curl/7.29.0” “3023eb4c-5e2f-940e-b0e9-d4fdc2566cd1” “userservice-pj-test.apps.com” “-” - - 10.130.3.239:8080 10.24.1.1:0 -