End-user authentication with JWT

Before Start

You should have NO virtualservice, destinationrule, gateway or policy (in tutorial namespace) kubectl get virtualservice kubectl get destinationrule kubectl get gateway kubectl get policy if so run:

./scripts/clean.sh

The idea is to start from zero so there is no

In this chapter, we are going to see how to enable authenticating end user with Istio. At the time of writing this chapter, only the JWT mechanism is supported.

Enabling User-End Authentication

Now it is time to enable end-user authentication.

The first thing you need to do is run and validate that now it is still possible to communicate between all services without been authenticated.

curl $GATEWAY_URL/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Then run:

Then let’s run the curl again:

curl $GATEWAY_URL/customer
Origin authentication failed.%

And now the communication is not possible because the user has not been identified (provides a valid JWT token).

To get a correct token, just run next curl request.

token=$(curl https://gist.githubusercontent.com/lordofthejars/a02485d70c99eba70980e0a92b2c97ed/raw/f16b938464b01a2e721567217f672f11dc4ef565/token.simple.jwt -s)

echo $token

Then let’s repeat the request but passing the token stored in token variable.

curl -H "Authorization: Bearer $token" $GATEWAY_URL/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Now just change some part of the token and send the request again, you’ll notice that request is refused.

In this chapter you’ve seen how to enable end-user authentication with JWT.

Obviously, you should also keep enabled mTLS to avoid any attacker could take the token.

Check mTLS section to learn more about mTLS and Istio.

Clean Up

kubectl delete -f istiofiles/enduser-authentication-jwt.yml