I have 2 services running on AKS (v1.16.13) and deployed the following istio (v1.7.3) configuration. First one is a UI where I invoke the OIDC flow and get JWT token, second one is a backend service which should require a valid JWT token.
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: myapp-gateway
namespace: "istio-system"
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- myapp.com
port:
name: http-myapp
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- myapp.com
port:
name: https-myapp
number: 443
protocol: HTTPS
tls:
credentialName: myapp-credential
mode: SIMPLE
---
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: myapp
namespace: myapp
spec:
gateways:
- istio-system/myapp-gateway
hosts:
- myapp.com
http:
- match:
- uri:
prefix: /ui
route:
- destination:
host: myapp-ui.myapp.svc.cluster.local
port:
number: 4200
- match:
- uri:
prefix: /backend/
rewrite:
uri: /
route:
- destination:
host: myapp-service-backend.myapp.svc.cluster.local
port:
number: 8080
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: myapp-jwt-backend
namespace: myapp
spec:
jwtRules:
- issuer: https://oktapreview.com
selector:
matchLabels:
app: myapp-service-backend
With that config I would expect to get 401 if I invoke myapp.com/backend but that's not the case. Request authentication doesn't kick in.
After some further research (https://discuss.istio.io/t/cannot-use-jwt-policy-with-an-externalname-virtualservice-target/2794/3), I found out that I can't apply RequestAuthentication on a VirtualService but only on a Gateway which is quite odd to me but ok. I've changed the RequestAuthentication to the following but still nothing has changed after invoking backend:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: myapp-jwt-backend
namespace: istio-system
spec:
jwtRules:
- issuer: https://oktapreview.com
selector:
matchLabels:
istio: myapp-gateway
Do you have any idea how can I setup istio for my use case? Assuming the RequestAuthentication would work on a gateway, do I need 2 gateway? 1 for UI and the second for backend? Seems like an overkill.
Thanks to the sachin's comment and going again through the documentation made me realized that I need AuthorizationPolicy on top of RequestAuthentication:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: myapp-require-jwt-backend
spec:
action: ALLOW
rules:
- from:
- source:
requestPrincipals:
- https://xxx/*
selector:
matchLabels:
app: myapp-service-backend
The request authentication is only making sure that when a JWT token is provided, it has to be a valid one. If there is no token, it will just pass through the request.