End-user authentication with JWT
Before Start
You should have NO virtualservice, destinationrule, gateway or policy (in
The idea is to start from zero so there is no |
In this chapter, we are going to see how to enable authenticating end user with Istio. At the time of writing this chapter, only the JWT mechanism is supported.
Enabling User-End Authentication
Now it is time to enable end-user authentication.
The first thing you need to do is run and validate that now it is still possible to communicate between all services without been authenticated.
curl $GATEWAY_URL/customer
customer => preference => recommendation v1 from 'recommendation-v1-b4d67bcb7-7rp88': 4
Then run:
kubectl create -f istiofiles/enduser-authentication-jwt.yml
Then let’s run the curl again with an invalid token:
curl $GATEWAY_URL/customer -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUU"
Origin Jwt verification fails
And now the communication is not possible because the user has not been identified (provides a valid JWT token).
To get a correct token, just run next curl
request.
token=$(curl https://gist.githubusercontent.com/lordofthejars/a02485d70c99eba70980e0a92b2c97ed/raw/f16b938464b01a2e721567217f672f11dc4ef565/token.simple.jwt -s)
echo $token
Then let’s repeat the request but passing the token stored in token
variable.
curl -H "Authorization: Bearer $token" $GATEWAY_URL/customer
customer => preference => recommendation v1 from 'recommendation-v1-b4d67bcb7-7rp88': 4
Now just change some part of the token and send the request again, you’ll notice that request is refused.
In this chapter you’ve seen how to enable end-user authentication with JWT. Obviously, you should also keep enabled mTLS to avoid any attacker could take the token. Check mTLS section to learn more about mTLS and Istio. |