Struggling with JWT auth

averageIstioEnjoyer · December 7, 2021, 6:08pm

Hi! I’m really struggling with JWT auth config. I have two seperate apps in different namespaces that are using the same istio-ingress gateway (Gateway resource) with seperate virtual services. One of the apps need JWT authentication while the other one does not which does not allow me to use the approach mentioned in the docs that uses a RequestAuthentication/AuthorizationPolicy pair in the istio-system namepsace, attached to the ingress gateway directly.

What I wanted to do and I thought was possible, is to use workload labels, as mentioned in the docs. Both my apps have app labels assigned with their respective values. However when I deploy the following manifest along with my app that requires JWT auth, it is not taking any effect. No matter what I type in to the issuer, requestPrincipals field - it seems that envoy is not picking up this config at all even though the resources are created properly, in the apps namespace.

When I tried applying the “root” RequestAuthentication/AuthorizationPolicy pair attached to the istio Gateway resource that resides in the istio-system namespace the JWT auth seemed to work as I received an RBAC: access denied message on my other app.

Any idea what I am missing? Do I need some labels in my VirtualService resource? I attached my VirtualService config as well in case I messed something up there.

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: "test-vs"
spec:
  hosts:
  - "test.test.cloud"
  gateways:
  - istio-system/gateway
  http:
  - name: "test-users-api-route"
    match:
    - uri:
        prefix: "/api/test"
    route:
    - destination:
        host: "test-users.default.svc.cluster.local"
        port:
          number: 4000
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "test-jwt"
spec:
  selector:
    matchLabels:
      app: "test-users"
  jwtRules:
  - issuer: https://test-keycloak.test.cloud/auth/realms/test
    jwksUri: https://test-keycloak.test.cloud/auth/realms/test/protocol/openid-connect/certs
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: "test-jwt"
spec:
  selector:
    matchLabels:
      app: "test-users"
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]

YangminZhu · January 4, 2022, 10:12pm

You do not need the virtual service to make the RequestAuthentication/AuthorizationPolicy working, they are applied to different Envoy.

I would say to double check the matchLabels is matched with your apps, make sure it’s created in the correct namespace. If still not working, try collect some more logs using the istioctl bug-report command.

Topic		Replies	Views
Istio JWT authentication does not seem to be working Security	7	5001	January 27, 2021
Adding JWT authorization to an ingress gateway Security	2	631	June 24, 2021
Istio AuthorizationPolicy configuration issue: JWT authentication not working within specified namespace Security security	0	298	June 12, 2023
AuthorizationPolicy not Enforced Security security	2	875	October 8, 2020
Jwt issuer is not configured Security	0	1781	August 30, 2022

Struggling with JWT auth

Related Topics