End-user authentication with JWT

Before Start

You should have NO virtualservice, destinationrule, gateway or policy (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule kubectl get gateway kubectl get policy if so run:

./scripts/clean.sh

The idea is to start from zero so there is no

In this chapter, we are going to see how to enable authenticating end user with Istio. At the time of writing this chapter, only the JWT mechanism is supported.

Enabling User-End Authentication

Now it is time to enable end-user authentication.

The first thing you need to do is run and validate that now it is still possible to communicate between all services without been authenticated.

curl $GATEWAY_URL/customer

customer => preference => recommendation v1 from 'recommendation-v1-b4d67bcb7-7rp88': 4

Then run:

kubectl create -f istiofiles/enduser-authentication-jwt.yml

Then let’s run the curl again with an invalid token:

curl $GATEWAY_URL/customer -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUU"

Origin Jwt verification fails

And now the communication is not possible because the user has not been identified (provides a valid JWT token).

To get a correct token, just run next curl request.

token=$(curl https://gist.githubusercontent.com/lordofthejars/a02485d70c99eba70980e0a92b2c97ed/raw/f16b938464b01a2e721567217f672f11dc4ef565/token.simple.jwt -s)

echo $token

Then let’s repeat the request but passing the token stored in token variable.

curl -H "Authorization: Bearer $token" $GATEWAY_URL/customer

customer => preference => recommendation v1 from 'recommendation-v1-b4d67bcb7-7rp88': 4

Now just change some part of the token and send the request again, you’ll notice that request is refused.

In this chapter you’ve seen how to enable end-user authentication with JWT.

Obviously, you should also keep enabled mTLS to avoid any attacker could take the token.

Check mTLS section to learn more about mTLS and Istio.

Clean Up

kubectl delete -f istiofiles/enduser-authentication-jwt.yml