1

The authentication using kyecloak isn't working as expected, it been used Istio vs Keycloak. Istio components configured : Gateway, Virtualservice, AuthorizationPolicy, RequestAuthentication

using a valid token: 401 Jwt issuer is not configured

enter image description here

ISTIO CONFIGURATION FOR SECURITY:

---  
 kubectl apply -f - <<EOF
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "http://localhost:30080/auth/realms/master"
    jwksUri: "http://localhost:30080/auth/realms/master/protocol/openid-connect/certs"
    forwardOriginalToken: true
    outputPayloadToHeader: x-jwt-payload
    EOF
---
 kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: "frontend-ingress"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
  principalBinding: USE_ORIGIN
    EOF
---

once there is no authorization Bearer

enter image description here

for double check i used istio's example and worked :

 kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata:
  name: "jwt-example"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  jwtRules:
  - issuer: "testing@secure.istio.io"
    jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.8/security/tools/jwt/samples/jwks.json"
EOF
kubectl apply -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata:
  name: "frontend-ingress"
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  action: DENY
  rules:
  - from:
    - source:
        notRequestPrincipals: ["*"]
EOF

ISTIO GTW and VS :

apiVersion: networking.istio.io/v1alpha3    
kind: Gateway                               
metadata:                                   
  name: keycloak-gateway
  namespace: default
spec:                                       
  selector:                                 
    istio: ingressgateway                   
  servers:                                  
  - hosts:                                  
    - '*'                                   
    port:                                   
      name: http                            
      number: 80                            
      protocol: HTTP

---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: enterprise-vs
spec:
  hosts:
    - '*'
  gateways:
    - default/keycloak-gateway
  http:
    - match:
        - uri:
            prefix: '/enterprise/'
      rewrite:
        uri: /
      fault:
        delay:
          fixedDelay: 1s
      route:
        - destination:
            host: enterprise
            port:
              number: 8080
            subset: enterprise-s1
          weight: 90
        - destination:
            host: enterprise
            port:
              number: 8080
            subset: enterprise-s2
          weight: 10
Tiago Medici
  • 1,944
  • 22
  • 22
  • Could you add to the question the definition file of your RequestAuthentication and AuthorizationPolicy? – Juliano Costa Aug 09 '20 at 15:26
  • edited the question adding the yaml, btw the git repo was already mentioned, let me know if you need more info – Tiago Medici Aug 09 '20 at 19:53
  • What is your istio version? – Jakub Aug 10 '20 at 14:29
  • istio 1.5.8, kubernetes 1.16.5 – Tiago Medici Aug 10 '20 at 14:35
  • As mentioned [here](https://istio.io/latest/docs/reference/config/security/request_authentication/#RequestAuthentication), there is same example you use, `A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity.`. What might help there is AuthorizationPolicy like [here](https://istio.io/latest/docs/tasks/security/authentication/authn-policy/#require-a-valid-token), could you try with that with proper namespace and labels? Additionally can you show us how you test it? – Jakub Aug 10 '20 at 15:22
  • 1
    having keycloak on the same cluster is the issue, using auth0 it works, but how can i have keycloak on my cluster securing other namespaces ? – Tiago Medici Nov 08 '20 at 12:18

2 Answers2

2

I encountered similar issue.

The JWT token had following value for issuer: "iss": "http://localhost:8080/auth/realms/dev"

I matched the same value in my JwtRules i.e. localhost. However I changed jwksUri to cluster IP address of Keycloak. This seems to have worked.

jwtRules:

- issuer: 'http://localhost:8080/auth/realms/dev'

  jwksUri: 'http://10.105.250.41:8080/auth/realms/dev/protocol/openid-connect/certs'
Rafi Assadi H M
  • 71
  • 1
  • 3
1

You can check to see if the ingressgateway can actually access your jwks_uri. I'm going to guess you get 404 because it's on a different cluster or spun up on local docker, et. al.

kubectl exec -i -t -n istio-system YOUR_ISTIOINGRESS_GATEWAY_POD -c istio-proxy -- sh -c "clear; (bash || ash || sh)"

> curl -i http://YOUR_DOMAIN:YOUR_PORT/auth/realms/master/protocol/openid-connect/certs

HTTP/1.1 404 Not Found
date: Thu, 23 Dec 2021 16:11:17 GMT
server: istio-envoy
content-length: 0

My workaround for local testing was to run ngrok to expose keycloak running on port 8080.

npm install -g ngrok
ngrok http 8080

Replace localhost in the jwksUri with the generated ngrok domain in your RequestAuthentication resource worked for me.

dominathan
  • 61
  • 1
  • 6