Skip to content

feiyao/istio_authn-authz_jwt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits

images

images

 
 

istio

istio

 
 

README.md

README.md

 
 

kustomization.yaml

kustomization.yaml

 
 

Repository files navigation

Istio authN/Z with JWT

Table of contents

Installation

We will install Istio, Istio-Ingressgateway into a local cluster created by K3d. For the demo purpose we'll also need to install httpbin service.

Install Istio

Please follow the Istio-Installation-Guide for the installation.

Install Application

% kubectl apply -f https://raw.githubusercontent.com/istio/istio/release-1.14/samples/httpbin/httpbin.yaml
serviceaccount/httpbin created
service/httpbin created
deployment.apps/httpbin created

Install Istio Gateway, VirtualService, PeerAuthentication, RequestAuthentication, AuthorizationPolicy.

$ kubectl apply -k ./
gateway.networking.istio.io/httpbin-gateway created
virtualservice.networking.istio.io/httpbin created
authorizationpolicy.security.istio.io/require-jwt-httpbin created
authorizationpolicy.security.istio.io/deny-jwt-gw created
authorizationpolicy.security.istio.io/deny-by-default created
peerauthentication.security.istio.io/default created
requestauthentication.security.istio.io/jwt-authn-httpbin created
requestauthentication.security.istio.io/jwt-authn-gw created

Setup Auth0

Signin Auth0 (with a free account), and create an API.

  1. Create an API with Name as httpbin, and Identifier https://httpbin/api create

  2. Grant permission for this API as read:messages permission

  3. Enable permission enable-permission

  4. Get Access Token for the API

$ CLIENT_ID=<client_id>
$ CLIENT_SECRET=<client_secret>

$ TOKEN=$(curl --request POST \
  --url https://dev-wl5b26zy.us.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"'"$CLIENT_ID"'","client_secret":"'"$CLIENT_SECRET"'","audience":"https://httpbin/api","grant_type":"client_credentials"}' | jq -r .access_token)

Test

Check AuthorizationPolicy:

$ istioctl x authz check deploy/httpbin                                      
ACTION   AuthorizationPolicy           RULES
ALLOW    require-jwt-httpbin.default   1
ALLOW    _anonymous_match_nothing_     1

$ istioctl x authz check deploy/istio-ingressgateway-1-14-1 -n istio-gateway
ACTION   AuthorizationPolicy         RULES
DENY     deny-jwt-gw.istio-gateway   1

Success Req:

$ curl -i -H "Authorization:Bearer ${TOKEN}" http://localhost:8080/status/200
HTTP/1.1 200 OK
server: istio-envoy
date: Fri, 22 Jul 2022 17:35:45 GMT
content-type: text/html; charset=utf-8
access-control-allow-origin: *
access-control-allow-credentials: true
content-length: 0
x-envoy-upstream-service-time: 2

Failure Req:

$ curl -i http://localhost:8080/status/200
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Fri, 22 Jul 2022 18:17:08 GMT
server: istio-envoy

RBAC: access denied

Failure Req:

$ curl -i -H "Authorization:Bearer unknown" http://localhost:8080/status/200
HTTP/1.1 401 Unauthorized
www-authenticate: Bearer realm="http://localhost:8080/status/200", error="invalid_token"
content-length: 79
content-type: text/plain
date: Fri, 22 Jul 2022 18:17:43 GMT
server: istio-envoy

Jwt is not in the form of Header.Payload.Signature with two dots and 3 sections

About

Istio AuthN/Z with JWT Token

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published