End-user authentication with JWT
Before Start
You should have NO virtualservice, destinationrule, gateway or policy (in
The idea is to start from zero so there is no |
In this chapter, we are going to see how to enable authenticating end user with Istio. At the time of writing this chapter, only the JWT mechanism is supported.
Enabling User-End Authentication
Now it is time to enable end-user authentication.
The first thing you need to do is run the curl
command and validate that now it is still possible to communicate between all services without been authenticated.
export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
curl $(minikube ip):$INGRESS_PORT/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4
Then run:
kubectl create -f istiofiles/enduser-authentication-jwt.yml
Then let’s run the curl again:
curl $(minikube ip):$INGRESS_PORT/customer
Origin authentication failed.%`
And now the communication is not possible because the user has not been identified (provides a valid JWT token).
To get a correct token, just run next curl
request.
token=$(curl https://gist.githubusercontent.com/lordofthejars/a02485d70c99eba70980e0a92b2c97ed/raw/f16b938464b01a2e721567217f672f11dc4ef565/token.simple.jwt -s)
echo $token
Then let’s repeat the request but passing the token stored in token
variable.
curl -H "Authorization: Bearer $token" $(minikube ip):$INGRESS_PORT/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4
Now just change some part of the token and send the request again, you’ll notice that request is refused.
In this chapter you’ve seen how to enable end-user authentication with JWT. Obviously, you should also keep enabled mTLS to avoid any attacker could take the token. Check mTLS section to learn more about mTLS and Istio. |