CODEWITHSUNDEEP
authorizationjwtrbacistio
Leon Eller
Leon Eller

Reputation: 21

Istio Authorization with JWT

I am running isio 1.0.2 and am unable to configure service authorization based on JWT claims against Azure AD.

I have succesfully configured and validated Azure AD oidc jwt end user authentication and it works fine.

Now I'd like to configure RBAC Authorization using request.auth.claims["preferred_username"] attribute. I've created a ServiceRoleBinding like below:

apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRole
metadata:
  name: service-reader
  namespace: default
spec:
  rules:
  - services: ["myservice.default.svc.cluster.local"]
    methods: ["GET"]
    paths: ["*/products"]
---
apiVersion: "rbac.istio.io/v1alpha1"
kind: ServiceRoleBinding
metadata:
  name: service-reader-binding
  namespace: default
spec:
  subjects:
  - properties:
      source.principal: "*"
      request.auth.claims["preferred_username"]: "[email protected]"
  roleRef:
    kind: ServiceRole
    name: "service-reader"

However, I keep getting 403 Forbidden from the service proxy, even though preferred_username claim from Authentication header is correct. If I comment out request.auth.claims["preferred_username"]: "[email protected]" line the request succeeds.

Can anyone point me in the right direction regarding configuring authorization based on oidc and jwt?

Upvotes: 1

Views: 941

Answers (1)

Leon Eller
Leon Eller

Reputation: 21

Never mind. I found the problem. I was missing user: "*" check to allow all users. so under subjects it should say:

subjects:
  - user: "*"
    properties:
      source.principal: "*"
      request.auth.claims["preferred_username"]: "[email protected]"

That fixes it.

Upvotes: 1

Related Questions