RBAC: access denied using JWT with multiple audiences

Mark_NS · September 27, 2020, 11:17am

Hi,

I have a JWT with two audiences:

  "aud": [
    "workspace-test1",
    "workspace-test2",
  ],

This token allows me access to a service with an authorization policy configured for the first audience in the list:

action: ALLOW
rules:
- from:
  - source:
      requestPrincipals:
      - '*'
  when:
  - key: request.auth.audiences
    values:
    - workspace-test1

But returns 403: rbac: access denied with the second audience in the list.

action: ALLOW
rules:
- from:
  - source:
      requestPrincipals:
      - '*'
  when:
  - key: request.auth.audiences
    values:
    - workspace-test2

Does istio 1.6.8 support multiple audiences in the JWT? (We recently upgraded from Istio 1.1, where this configuration was working.)

linggg · September 30, 2020, 12:14am

Hi Mark,

Thanks for your post. Could you try look into rbac debug log following this guide.
I will also try to reproduce the issue in my side. Thanks.

Topic		Replies	Views
Istio (1.6.2) : RBAC Access Denied for Valid JWT Token Security security	16	3527	July 29, 2020
Authorization policy challenge Security	6	1272	April 4, 2020
Istio 1.5 AuthorizationPolicy using JWT Security	4	1093	July 28, 2020
Istio 1.8.2. RBAC: access denied. JWT is valid Security security	6	5949	May 4, 2022
JWT and Authorization Security	7	1018	July 2, 2019

RBAC: access denied using JWT with multiple audiences

Related topics