0

I have a couple of microservices and using istio. And want end user roles details in each micro services due to some business requirement. I want to know how to populate claims (end user roles) (jwt) in a request header. I've configure below istio yml.

outputPayloadToHeader this element helps to populate bearer token in header. Istio just validates jwt (bearer). But want to know how to configure to populate jwt payload elements in request header. I have attached scree shot, the payload attributes should be propagated to request header. So that my microservice (wants name ("Gaurav Agarwal")) will read from the header. Is there anyway to configure in RequestAuthentication or any other way?

enter image description here

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: "jwt-example"
  namespace: default
spec:
  selector:
    matchLabels:
      app: servicea
  jwtRules:
    - issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.12/security/tools/jwt/samples/jwks.json"
      outputPayloadToHeader: x-jwt
Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
Ram
  • 37
  • 4
  • If your application is sending requests header with JWT, they will be populated. Could you please clarify what exactly is your issue, especially parts "how to populate claims(end user roles) (jwt) in request header" and "how to configure to populate jwt payload elements in request header.". Could you please add some examples? Please also provide information about Istio and Kubernetes version that you are using. Check also these topics: [this one](https://discuss.istio.io/t/setting-request-headers-with-values-from-a-jwt/5903/38) and [this one](https://github.com/istio/istio/issues/35108). – Mikolaj S. Nov 29 '21 at 15:17
  • "jwksUri" this element is useful to validate the jwt token (bearer) and outputPayloadToHeader helps to populate/or just forward jwt in requester header. But what I want is, once jwt token validated(jwksUri does this), I want to get all claim(roles) details in the requester header. – Ram Nov 29 '21 at 20:30
  • It's still not really clear what you want to achieve. Could you please add some examples? Please also provide information about Istio and Kubernetes version that you are using. Have you checked the topics I sent? Were they helpful? – Mikolaj S. Nov 30 '21 at 08:57
  • @MikolajS. i've attached screenshot and given example in the original question – Ram Dec 01 '21 at 17:35

1 Answers1

2

Posted community wiki answer for better visibility. Feel free to expand it.

Currently there is no simple solution for your issue in Isito using RequestAuthentication. There is a topic on the Istio forum with a very similar question - Setting request headers with values from a JWT, last pinged 10 days ago (state for 03.12.2021) - you may consider subscribing to it.

There is also nice document - Copy JWT claims to headers which sum up this issue with proposals and possible solutions/workarounds from different websites:

There are several existing solutions and workarounds

  • Solution 1: WASM filter - A dedicated WASM filter is developed for copying claims to headers as a workaround for ASM customers. - This solution requires the deployment and configuration of a dedicated WASM filter, the adoption process is a bit heavy and may not suitable for all ASM customers due to the use of EnvoyFIlter API. - See more details in the Existing WASM based solution appendix.
  • Solution 2: Lua filter - The OSS community developed some example lua filter configuration for copying claims to headers. - This solution is much lightweight as it just uses the native built-in Lua filter in upstream Envoy. The configuration is simple and has great flexibility as it's just some lua code. This solution still needs to use the EnvoyFilter API and the Lua filter is also not supported by ASM. - See more details in the discuss,istio.io threads.
  • Solution 3: Reuse an undocumented feature in VirtualService - This solution was developed in this design to reuse an undocumented feature in the virtual service for copying dynamic metadata (JWT claims) to HTTP headers. - This is probably the most lightweight solution as it only needs the first-class Istio virtual service API. - There are some limitations in this solution, like the feature is undocumented and uses the Envoy logging format directly, the capability is also limited and may not support proper sanitization of the HTTP headers and claims of type other than string. - The following is an example virtual service for copying the "group" claim to the "x-istio-jwt-group" header:
apiVersion:  networking.istio.io/v1alpha3  
kind:  VirtualService  
metadata:  
name:  reviews-route  
spec:  
hosts:  
-  reviews.prod.svc.cluster.local  
http:  
- headers:  
request:  
set:  
x-istio-jwt-group:

'%DYNAMIC_METADATA(["istio_authn", "request.auth.claims", "group"])%'  
route:  <...>

Check this article - Istio Request Control with Envoy Filters — Request Headers - a little bit outdated but with a good explanation. Check also updated code of the above solution on the GitHub page.

Another workaround is to change your app to read forwarded JWT payload from a header and get value from here. You must set outputPayloadToHeader field:

This field specifies the header name to output a successfully verified JWT payload to the backend. The forwarded data is base64_encoded(jwt_payload_in_JSON). If it is not specified, the payload will not be emitted.

Keep in mind you can as well forward the original token to your app using forwardOriginalToken: true field:

If set to true, the original token will be kept for the upstream request. Default is false.

Mikolaj S.
  • 2,850
  • 1
  • 5
  • 17