End-user authentication with JWT

Before Start

You should have NO virtualservice, destinationrule, gateway or policy (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule kubectl get gateway kubectl get policy if so run:

./scripts/clean.sh

The idea is to start from zero so there is no

In this chapter, we are going to see how to enable authenticating end user with Istio. At the time of writing this chapter, only the JWT mechanism is supported.

Enabling User-End Authentication

Now it is time to enable end-user authentication.

The first thing you need to do is run the curl command and validate that now it is still possible to communicate between all services without been authenticated.

export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')

curl $(minikube ip):$INGRESS_PORT/customer


customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Then run:

Then let’s run the curl again:

curl $(minikube ip):$INGRESS_PORT/customer

Origin authentication failed.%`

And now the communication is not possible because the user has not been identified (provides a valid JWT token).

To get a correct token, just run next curl request.

token=$(curl https://gist.githubusercontent.com/lordofthejars/a02485d70c99eba70980e0a92b2c97ed/raw/f16b938464b01a2e721567217f672f11dc4ef565/token.simple.jwt -s)

echo $token

Then let’s repeat the request but passing the token stored in token variable.

curl -H "Authorization: Bearer $token" $(minikube ip):$INGRESS_PORT/customer

customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Now just change some part of the token and send the request again, you’ll notice that request is refused.

In this chapter you’ve seen how to enable end-user authentication with JWT.

Obviously, you should also keep enabled mTLS to avoid any attacker could take the token.

Check mTLS section to learn more about mTLS and Istio.

Clean Up

kubectl delete -f istiofiles/enduser-authentication-jwt.yml