Is the possible to send WWW-Authenticate: bearer
in a JWT policy failure response? For example, this policy:
apiVersion: authentication.istio.io/v1alpha1
kind: Policy
metadata:
name: mhite-elbgateway-jwt
namespace: istio-system
spec:
targets:
- name: mhite-elbgateway
origins:
- jwt:
issuer: "https://accounts.google.com"
audiences:
- 407408718192.apps.googleusercontent.com
jwksUri: "https://www.googleapis.com/oauth2/v3/certs"
- excludedPaths:
- exact: "/"
principalBinding: USE_ORIGIN
When I send a bogus token in a request, I see:
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 401
< content-length: 29
< content-type: text/plain
< date: Mon, 23 Mar 2020 18:33:07 GMT
< server: istio-envoy
< via: 1.1 google
< alt-svc: clear
<
Origin authentication failed.
It would be fantastic to support errors here, too. IE:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: error="invalid_token",
error_description="The Access Token expired"
It would be nice to propagate these error codes:
(Envoy uses jwt_verify_lib)
Right now, to even see these, you have to turn on Istio DEBUG logs.