Alibaba Cloud Service Mesh:FAQ about JWT

How JWT authentication works in ASM

ASM uses two Istio resources to enforce JWT authentication:

To require valid JWTs on every request, pair a RequestAuthentication with an AuthorizationPolicy. A RequestAuthentication alone does not block unauthenticated requests.

What JWT algorithms does ASM support?

Algorithm support depends on your ASM version:

How do I use the jwksUri parameter?

The jwksUri parameter is available in ASM v1.13 or later. Configuration depends on where your JWKS endpoint is hosted:

The examples below use the sample JWT and sample JWKS from Istio.

JWKS endpoint in the managed ACK cluster

In this example, the nginx-proxy service serves JWKS public keys on port 80 at the /get_jwks path. The full jwksUri value is http://nginx-proxy.{Namespace}.svc.cluster.local:80/get_jwks.

1. Verify that the JWKS endpoint is reachable:

   curl nginx-proxy/get_jwks

   Expected output:

   { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-e****","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65p****-P7KfIupjf59vsdo91bSP9C8H07pSAGQ****_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5****_pbhLdKXbi66GlVeK6ABZOUW3WYt****-91gVuoeJT_DwtGGcp4ignkgXfkiE****-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoU****_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZ****_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqT****_EyxOGuHJrLsn00****"}]}

   A valid JWKS JSON response confirms the endpoint is reachable.

2. Create a RequestAuthentication policy.

   1. Log on to the ASM console.

   2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

   3. On the Mesh Management page, find the target ASM instance and click its name, or click Manage in the Actions column.

   4. In the left-side navigation pane, choose Mesh Security Center > RequestAuthentication.

   5. On the RequestAuthentication page, click Create from YAML. Select the target Namespace and a Template, paste the following YAML, and click Create.

      apiVersion: security.istio.io/v1beta1
      kind: RequestAuthentication
      metadata:
        name: jwt-example
        namespace: foo
      spec:
        jwtRules:
          - issuer: testing@secure.istio.io
            jwksUri: 'http://nginx-proxy/get_jwks'
        selector:
          matchLabels:
            app: httpbin

3. Verify the configuration by sending a request with a valid JWT.

   Use kubectl with the kubeconfig file for the data plane cluster to run:

   # Set the Token environment variable.
   TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.14/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
   # Send a request with the JWT from the sleep pod to the httpbin service.
   kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n"

   A 200 status code confirms that JWT authentication is working.

JWKS endpoint outside the managed ACK cluster

When the JWKS endpoint is external to your managed ACK cluster, create a ServiceEntry so that the mesh can reach it. This example uses HTTP. To use HTTPS, also create a DestinationRule for TLS origination.

1. Create a ServiceEntry for the external JWKS endpoint.

   1. Create a file named service-entry.yaml with the following content:

      apiVersion: networking.istio.io/v1beta1
      kind: ServiceEntry
      metadata:
        name: external-svc-https
        namespace: foo
      spec:
        addresses:
          - 11.11.XX.XX   # Replace with the IP address of your JWKS endpoint.
        endpoints:
          - address: 11.11.XX.XX  # Replace with the IP address of your JWKS endpoint.
        hosts:
          - 11.11.XX.XX  # Replace with the IP address of your JWKS endpoint.
        location: MESH_EXTERNAL
        ports:
           - name: http
            number: 80
            protocol: HTTP
          - name: https
            number: 443
            protocol: HTTPS
        resolution: STATIC

   2. Apply the ServiceEntry:

      kubectl apply -f service-entry.yaml

2. (Optional) To fetch JWKS over HTTPS, create a DestinationRule for TLS origination:

   apiVersion: networking.istio.io/v1beta1
   kind: DestinationRule
   metadata:
     name: external-svc-https
     namespace: foo
   spec:
     host: <service-entry-host>
     trafficPolicy:
       loadBalancer:
         simple: ROUND_ROBIN
       portLevelSettings:
         - port:
             number: 443
           tls:
             mode: SIMPLE

3. Create a RequestAuthentication policy.

   1. Log on to the ASM console.

   2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

   3. On the Mesh Management page, find the target ASM instance and click its name, or click Manage in the Actions column.

   4. In the left-side navigation pane, choose Mesh Security Center > RequestAuthentication.

   5. On the RequestAuthentication page, click Create from YAML. Select the target Namespace and a Template, paste the following YAML, and click Create.

      apiVersion: security.istio.io/v1beta1
      kind: RequestAuthentication
      metadata:
        name: jwt-example
        namespace: foo
      spec:
        jwtRules:
          - issuer: tes****@secure.istio.io
            jwksUri: '<your-jwks-uri>'
        selector:
          matchLabels:
            app: httpbin

4. Verify the configuration by sending a request with a valid JWT from the sleep pod:

   # Send a request with the JWT from the sleep pod to the httpbin service.
   kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n"

   A 200 status code confirms that JWT authentication is working.

How do I skip JWT authentication for specific paths?

Use an AuthorizationPolicy with action: DENY to block unauthenticated requests on most paths while allowing certain paths through without a token.

How the double-negation pattern works: The policy denies requests that have no valid JWT (notRequestPrincipals: '*') unless they target an excluded path (notPaths). In plain language: "Deny any request that lacks valid JWT credentials, except requests to the excluded path."

This combination of notRequestPrincipals and notPaths forms a double-negation:

This example uses the Bookinfo sample application and excludes the /productpage path from JWT authentication while requiring valid JWTs for all other paths.

1. Deploy the sample application and verify access.

   1. Deploy the Bookinfo application in the ACK cluster added to your ASM instance. For more information, see Deploy an application in an ACK cluster that is added to an ASM instance.

   2. Verify that all paths are accessible:

      curl "http://<ingress-gateway-ip>/productpage" -sS -o /dev/null -w "%{http_code}\n"
      curl "http://<ingress-gateway-ip>/api/v1/products/0" -sS -o /dev/null -w "%{http_code}\n"
      curl "http://<ingress-gateway-ip>/api/v1/products/1" -sS -o /dev/null -w "%{http_code}\n"

      All three commands should return 200.

2. Create a RequestAuthentication policy on the ingress gateway.

   This policy validates JWTs on all requests that pass through the gateway. Requests with valid JWTs or no JWT are allowed. Requests with invalid JWTs are rejected.

   1. Log on to the ASM console.

   2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

   3. On the Mesh Management page, find the target ASM instance and click its name, or click Manage in the Actions column.

   4. In the left-side navigation pane, choose Mesh Security Center > RequestAuthentication.

   5. On the RequestAuthentication page, click Create from YAML. Select the target Namespace and a Template, paste the following YAML, and click Create.

      apiVersion: security.istio.io/v1beta1
      kind: RequestAuthentication
      metadata:
        name: jwt-example
        namespace: istio-system
      spec:
        jwtRules:
          - issuer: testing@secure.istio.io
            jwks: >-
              { "keys":[
              {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-e****","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQ****_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5****_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVu****_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoU****_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZ****_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqT****_EyxOGuHJrLsn00****"}]}
        selector:
          matchLabels:
            app: istio-ingressgateway

3. Create an AuthorizationPolicy to exempt /productpage from JWT authentication.

   This policy denies requests that lack a valid JWT unless the request targets /productpage. Requests to all other paths must carry a valid JWT.

   1. Log on to the ASM console.

   2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

   3. On the Mesh Management page, find the target ASM instance and click its name, or click Manage in the Actions column.

   4. In the left-side navigation pane, choose Mesh Security Center > AuthorizationPolicy.

   5. On the AuthorizationPolicy page, click Create from YAML. Select the target Namespace and a Template, paste the following YAML, and click Create.

      apiVersion: security.istio.io/v1beta1
      kind: AuthorizationPolicy
      metadata:
        name: test-exclude
        namespace: istio-system
      spec:
        action: DENY
        rules:
          - from:
              - source:
                  notRequestPrincipals:
                    - '*'
            to:
              - operation:
                  notPaths:
                    - /productpage
        selector:
          matchLabels:
            app: istio-ingressgateway

4. Test the results.

   1. Set the JWT token:

      export TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1****.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5p****.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9****-LS9qd_vpdLG4Tn1A15NxfCjp5f7Q****-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZz****__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCg****_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3UcMI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvH****_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8****

   2. Send requests without a JWT:

      curl "http://<ingress-gateway-ip>/productpage" -sS -o /dev/null -w "%{http_code}\n"
      # Expected: 200
      
      curl "http://<ingress-gateway-ip>/api/v1/products/0" -sS -o /dev/null -w "%{http_code}\n"
      # Expected: 403
      
      curl "http://<ingress-gateway-ip>/api/v1/products/1" -sS -o /dev/null -w "%{http_code}\n"
      # Expected: 403

      Only /productpage returns 200. The other paths return 403 because they require a valid JWT.

   3. Send requests with a valid JWT:

      curl "http://<ingress-gateway-ip>/productpage" -H "Authorization: Bearer $TOKEN" -sS -o /dev/null -w "%{http_code}\n"
      # Expected: 200
      
      curl "http://<ingress-gateway-ip>/api/v1/products/0" -H "Authorization: Bearer $TOKEN" -sS -o /dev/null -w "%{http_code}\n"
      # Expected: 200
      
      curl "http://<ingress-gateway-ip>/api/v1/products/1" -H "Authorization: Bearer $TOKEN" -sS -o /dev/null -w "%{http_code}\n"
      # Expected: 200

      All three paths return 200, confirming that valid JWTs grant access to every path.