0

According to the Istio security doc: "Request authentication policies can specify more than one JWT if each uses a unique location. When more than one policy matches a workload, Istio combines all rules as if they were specified as a single policy. This behavior is useful to program workloads to accept JWT from different providers. However, requests with more than one valid JWT are not supported because the output principal of such requests is undefined."

Does this mean I can have multiple unique "jwtRules: issuer, jwksUri" in different policy yamls, the receiving workload can accept these different JWT, but each request must contain only One particular JWT? Thanks!

YoungStud666
  • 1
  • 1

1 Answers1

1

Here is our approach of the scenario to allow more than one issuer policy Example of 2 types of jwt( siteminder based issuer / gateway issuer) called

  1. $.Values.jwt.siteminder.issuer
  2. $.Values.jwt.gateway.issuer

Then the definition in authn

####
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: {{ $.Values.appDomain }}-app-bff
  labels:
    app.kubernetes.io/part-of: {{ $.Values.appDomain }}
spec:
  selector:
    matchLabels:
      app: {{ $.Values.appDomain }}-app-bff-exp
  jwtRules:
  - forwardOriginalToken: true
    fromHeaders:
      - name: Authorization
        prefix: 'Bearer '
    issuer: {{ $.Values.jwt.siteminder.issuer }}
    jwksUri: {{ $.Values.jwt.siteminder.jwksUri }}
  - forwardOriginalToken: true
    fromHeaders:
      - name: Authorization
        prefix: 'Bearer '
    issuer: {{ $.Values.jwt.gateway.issuer }}
    jwksUri: {{ $.Values.jwt.gateway.jwksUri }}

---
# Similar in the Authorization app BFF
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: {{ $.Values.appDomain }}-app-bff
  labels:
    app.kubernetes.io/part-of: {{ $.Values.appDomain }}
spec:
  selector:
    matchLabels:
      app: {{ $.Values.appDomain }}-app-bff-exp
  action: ALLOW
  rules:
  - when:
    - key: request.auth.claims[iss]
      values:
        - {{ $.Values.jwt.siteminder.issuer }}
        - {{ $.Values.jwt.gateway.issuer }}
  - when:
    - key: request.auth.claims[scope]
      values:
      - "life-object:write"
      - "life-object:read"

hope this helps anyone trying to apply multiple issuers validation in authn or multiple rules for authorization

Regards

Jay Sadineni
  • 11
  • 2