JSON Web Tokens (JWTs) are commonly used to authenticate users. A JWT carries user information and a field that stores encrypted user information. When you implement JWT authentication, the encrypted user information is decrypted and compared with the input user information. This verifies the user identity. This topic describes how to configure JWT authentication by using an ingress gateway.

Prerequisites

Procedure

  1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.
  2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.
  3. On the Ingress Gateway page, click the ingress gateway that you want to use.
  4. In the left-side navigation pane, choose Gateway Security > JWT.
  5. In the JWT Config step of the configuration wizard, turn on the Enable gateway JWT authentication switch, configure the parameters, and then click Next.
    ParameterDescription
    IssuerThe issuer of the JWT. In this example, the parameter is set to testing@secure.istio.io.
    JWKS SourceThe JSON Web Key Set (JWKS) that is used to verify JWTs. In this example, jwks is selected.
    KeyExample value:
    { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}
    AdvancedConfigClick AdvancedConfig. In the JWT Rules Advanced Options dialog box, set JWTToken Position, JWT Passthrough, and Transmit Payload through Header based on your needs.
  6. In the Matching Rule step of the configuration wizard, configure the parameters and click Submit.
    ParameterDescription
    Match ModeIn this example, Auth If Matched is selected. Valid values:
    • Auth If Matched: The specified requests require JWT authentication.
    • Bypass Auth If Matched: The specified requests do not require JWT authentication.
    Add Match RuleTurn on the Path switch and set this parameter to /productpage. This configuration indicates that requests to access the /productpage path require JWT authentication. Requests to access other paths do not require JWT authentication.
    Note In this case, requests to access other paths are allowed if they do not carry JTWs or are denied if they carry invalid JWTs.
    Then, a message that indicates JWT authentication is successfully configured appears, and native Istio security resources are displayed. You can click YAML to view the resource configurations.
  7. Verify that JWT authentication takes effect.
    1. Run the following command to configure environment variables: 
      TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5p****.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-L****_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZz****__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCg****_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJMI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvH****_GhGbiSFzgPTAa9WTltbnarTbxud3Uc1b_YEOx12JiwYToeX0DCPb43W1tzIBxgm8****
    2. Run the following commands to perform access tests:
      • Test 1: Send a request that carries the valid JWT to access the /productpage path.
        curl -I http://${IP address of the ingress gateway}/productpage -H "Authorization: Bearer $TOKEN"
        Sample output:
        HTTP/1.1 200 OK
content-type: text/html; charset=utf-8
content-length: 4294
server: istio-envoy
date: Tue, 17 Jan 2023 08:47:34 GMT
x-envoy-upstream-service-time: 17
      • Test 2: Send a request that carries no JWT to access the /productpage path.
        curl -I http://${IP address of the ingress gateway}/productpage
        Sample output:
        HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Tue, 17 Jan 2023 08:50:31 GMT
server: istio-envoy
      • Test 3: Send a request that carries an invalid JWT to access the /productpage path.
        curl -I http://${IP address of the ingress gateway}/productpage -H "Authorization: Bearer invalid token"
        Sample output:
        HTTP/1.1 401 Unauthorized
www-authenticate: Bearer realm="http://114.55.XXX.XXX/productpage", error="invalid_token"
content-length: 79
content-type: text/plain
date: Tue, 17 Jan 2023 08:51:47 GMT
server: istio-envoy
      • Test 4: Send a request that carries no JWT to access another path.
        curl -I http://${IP address of the ingress gateway} /api/v1/products/1   
        HTTP/1.1 200 OK
content-type: application/json
content-length: 195
server: istio-envoy
date: Tue, 17 Jan 2023 08:55:10 GMT
x-envoy-upstream-service-time: 16
      The following table describes the test results. The test results meet expectations, which indicates that JWT authentication takes effect.
      Access testAccess allowed?
      Send a request that carries the valid JWT to access the /productpage path.Yes
      Send a request that carries no JWT to access the /productpage path.No
      Send a request that carries an invalid JWT to access the /productpage path.No
      Send a request that carries no JWT to access another path.Yes