RequestAuthentication

RequestAuthentication

RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples:

  • Require JWT for all request for workloads that have label app:httpbin
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: "issuer-foo"
    jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  • A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces in a mesh. The following policy makes all workloads only accept requests that contain a valid JWT token.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: req-authn-for-all
  namespace: istio-system
spec:
  jwtRules:
  - issuer: "issuer-foo"
    jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt-for-all
  namespace: istio-system
spec:
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  • The next example shows how to set a different JWT requirement for a different host. The RequestAuthentication declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly set from the OpenID Connect spec).
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  jwtRules:
  - issuer: "issuer-foo"
  - issuer: "issuer-bar"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["issuer-foo/*"]
    to:
    - operation:
        hosts: ["example.com"]
  - from:
    - source:
        requestPrincipals: ["issuer-bar/*"]
    to:
    - operation:
        hosts: ["another-host.com"]
  • You can fine tune the authorization policy to set different requirement per path. For example, to require JWT on all paths, except /healthz, the same RequestAuthentication can be used, but the authorization policy could be:
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: httpbin
  namespace: foo
spec:
  selector:
    matchLabels:
      app: httpbin
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
  - to:
    - operation:
        paths: ["/healthz"]
  • When applied on a Gateway, you can also use the special header name x-jwt-claim for matching JWT claims in the VirtualService. Claims of type string or list of string are supported and nested claims are also supported using . as a separator for claim names. Examples: x-jwt-claim.admin matches the claim “admin” and x-jwt-claim.group.id matches the nested claims “group” and “id”.

The following example creates the request authentication and authorization policies for JWT validation on ingress gateway and routes requests based on the “version” claim in the validated JWT.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-on-ingress
  namespace: istio-system
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
  jwtRules:
  - issuer: "issuer-foo"
    jwksUri: https://example.com/.well-known/jwks.json
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: istio-system
spec:
 selector:
   matchLabels:
     app: istio-ingressgateway
  rules:
  - from:
    - source:
        requestPrincipals: ["*"]
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: route-jwt
spec:
  hosts:
  - foo.prod.svc.cluster.local
  gateways:
  - istio-ingressgateway
  http:
  - name: "v2-route"
    match:
    - headers:
        x-jwt-claim.version:
          exact: "v2"
    route:
    - destination:
        host: foo.prod.svc.cluster.local
        subset: v2
  - name: "default-route"
    route:
    - destination:
        host: foo.prod.svc.cluster.local
        subset: v1

Note: This routing is only supported on Gateways and proper request authentication must first be applied to validate the JWT.

FieldTypeDescriptionRequired
selectorWorkloadSelector

The selector determines the workloads to apply the RequestAuthentication on. If not set, the policy will be applied to all workloads in the same namespace as the policy.

No
jwtRulesJWTRule[]

Define the list of JWTs that can be validated at the selected workloads’ proxy. A valid token will be used to extract the authenticated identity. Each rule will be activated only when a token is presented at the location recorgnized by the rule. The token will be validated based on the JWT rule config. If validation fails, the request will be rejected. Note: if more than one token is presented (at different locations), the output principal is nondeterministic.

No
Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!