2

I consider if there is a way to use Istio to translate opaque token to JWT.

Use case: There are two services (service 1 which is consumer and service 2 which is producer) Service1 works with opaque token, Service2 can be authenticate & authorize with JWT token. To avoid adding Opaque token authentication in service2 I consider if we can use sidecar pattern (exactly in Istio) to get request (re1) from service1, extract authorization header, pass request (authReq1) to authorization server for exchange opaque token to JWT and then pass request (req1 but with JWT instead of original Opaque Token) to service2.

Edited answer: I see two option (option1, option2) but I am interested in option 3.

Option 1: enter image description here Option 2: enter image description here Option 3: enter image description here

mattipr89
  • 23
  • 5

1 Answers1

1

I consider if there is a way to use Istio to translate opaque token to JWT.

Unfortunately, Istio won't be able to translate the tokens. In your case, it seems to me that the easiest way is to get services in such a way that they work on one type of token.

Translation is possible, but not by Istio. Look at this question. You can also read more about Istio Authentication:

Istio provides two types of authentication:

  • Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:

  • Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds. - Secures service-to-service communication. - Provides a key management system to automate key and certificate generation, distribution, and rotation.

  • Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:

  • ORY Hydra

  • Keycloak

  • Auth0

  • Firebase Auth

  • Google Auth

In all cases, Istio stores the authentication policies in the Istio config store via a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.

Mikołaj Głodziak
  • 4,775
  • 7
  • 28
  • Hey, thanks for response. What I meant I don't want use Istio to translate token, but use it as a router/middle-server/sidecar just to extract one token, send this token to exchange/introspect endpoint, and send with original request to service 2. Please see option 3 on picture above. – mattipr89 Feb 16 '22 at 10:58
  • 1
    Based on [this documentation](https://istio.io/latest/docs/reference/config/security/jwt/#JWTHeader) Istio can be use to extract JWT token, but not opaque token. So it looks that your situation is impossible to achieve. – Mikołaj Głodziak Feb 16 '22 at 11:07