Is the possible to send
WWW-Authenticate: bearer in a JWT policy failure response? For example, this policy:
apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: name: mhite-elbgateway-jwt namespace: istio-system spec: targets: - name: mhite-elbgateway origins: - jwt: issuer: "https://accounts.google.com" audiences: - 407408718192.apps.googleusercontent.com jwksUri: "https://www.googleapis.com/oauth2/v3/certs" - excludedPaths: - exact: "/" principalBinding: USE_ORIGIN
When I send a bogus token in a request, I see:
* Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 401 < content-length: 29 < content-type: text/plain < date: Mon, 23 Mar 2020 18:33:07 GMT < server: istio-envoy < via: 1.1 google < alt-svc: clear < Origin authentication failed.
It would be fantastic to support errors here, too. IE:
HTTP/1.1 401 Unauthorized WWW-Authenticate: error="invalid_token", error_description="The Access Token expired"
It would be nice to propagate these error codes:
(Envoy uses jwt_verify_lib)
Right now, to even see these, you have to turn on Istio DEBUG logs.