End-user authentication with JWT
Before Start
You should have NO virtualservice, destinationrule, gateway or policy (in
The idea is to start from zero so there is no |
In this chapter, we are going to see how to enable authenticating end user with Istio. At the time of writing this chapter, only the JWT mechanism is supported.
Enabling User-End Authentication
Now it is time to enable end-user authentication.
The first thing you need to do is run curl istio-ingressgateway-istio-system.$(minishift ip).nip.io
and validate that now it is still possible to communicate between all services without been authenticated.
curl http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4
Then run:
kubectl create -f istiofiles/enduser-authentication-jwt.yml
Then let’s run the curl again:
curl http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
Origin authentication failed.%`
And now the communication is not possible because the user has not been identified (provides a valid JWT token).
To get a correct token, just run next curl
request.
token=$(curl https://gist.githubusercontent.com/lordofthejars/a02485d70c99eba70980e0a92b2c97ed/raw/f16b938464b01a2e721567217f672f11dc4ef565/token.simple.jwt -s)
echo $token
Then let’s repeat the request but passing the token stored in token
variable.
curl -H "Authorization: Bearer $token" http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4
Now just change some part of the token and send the request again, you’ll notice that request is refused.
In this chapter you’ve seen how to enable end-user authentication with JWT. Obviously, you should also keep enabled mTLS to avoid any attacker could take the token. Check mTLS section to learn more about mTLS and Istio. |