1

I have a GKE Backend with GLCB(using Ingress-GCP, routing done based on path to various bakend service). My need is to verify the token in the header and pass the request to the backend iff it is valid token. And to check the validity of token i need to pass to the firebase. Once firebase say's OK then route to the correct backend.

I was initially using ingress-GCE but seems this can be only achieved by using Istio. Can any one suggest how to do istio based end user authentication ?

Jithin Kumar S
  • 701
  • 2
  • 9
  • 20
  • I think you can use AuthorizationPolicy and RequestAuthentication to do this. There is [istio documentation](https://istio.io/latest/docs/tasks/security/authorization/authz-jwt/) about that. Could you please check it and tell me if that's what are you looking for? – Jakub Oct 09 '20 at 12:31
  • 1
    thanks Jakub for the response. I went through this document, what i'm not clear is let me elaborate. From the UI side(android which is generating the jwt using firebase) gives me the JWT in the header of the API call. What Istio does in the RequestAuthentication ? what value should i give to the ``` jwtRules: - issuer: "testing@secure.istio.io" jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.7/security/tools/jwt/samples/jwks.json" ''' . I am not sure what this issuer and jwksURI means. can you pls help ? – Jithin Kumar S Oct 09 '20 at 12:51
  • Hi @Jithin Kumar S I have made an answer to answer all of your questions. I hope this will help you understand what should be put there. – Jakub Oct 12 '20 at 06:51

1 Answers1

1

You can use AuthorizationPolicy and RequestAuthentication to do this. There is example about that in istio documentation.

What Istio does in the RequestAuthentication ?

As mentioned here

RequestAuthentication defines what request authentication methods are supported by a workload. If will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule.

As mentioned here

issuer -> Identifies the issuer that issued the JWT. See issuer A JWT with different iss claim will be rejected.

Example: https://foobar.auth0.com Example: 1234567-compute@developer.gserviceaccount.com

jwksUri -> URL of the provider’s public key set to validate signature of the JWT. See OpenID Discovery.

Example: https://www.googleapis.com/oauth2/v1/certs

There are 2 examples of jwtRules and jwskUri for firebase.

Additionall resources:

Jakub
  • 8,189
  • 1
  • 17
  • 31
  • in my example the jwt server (keycloak) isn't https, then i get this error "Jwt issuer is not configured" https://stackoverflow.com/questions/63319153/istio-service-mesh-security-with-authorizationpolicy-requestauthentication , what could be the reason ? – Tiago Medici Nov 08 '20 at 10:10