All Products
Search

This Product

    Alibaba Cloud Service Mesh:Configure JWT authentication with an ASM security policy

    Document Center

    Alibaba Cloud Service Mesh:Configure JWT authentication with an ASM security policy

    Last Updated:Mar 11, 2026

    Without token validation at the gateway level, services behind an ingress gateway accept unauthenticated requests. In Alibaba Cloud Service Mesh (ASM), you create an ASMSecurityPolicy of the JWT type to reject requests that lack valid JSON Web Tokens (JWTs). Under the hood, this policy generates two Istio resources -- a RequestAuthentication (validates token signatures) and an AuthorizationPolicy (enforces access rules). A single ASMSecurityPolicy handles both token validation and path-based access control.

    Background information

    JWT is an open standard and is commonly used to authenticate and authorize users. A JWT carries user information and a field that stores encrypted user information. When you implement JWT-based authentication, the encrypted user information is decrypted and then compared with the input user information. This verifies the user identity.

    How it works

    A JWT-type ASMSecurityPolicy verifies incoming JWTs against a JSON Web Key Set (JWKS) and checks the issuer claim. Path-based access control is determined by one of two match modes:

    Match modeMatched pathsUnmatched paths
    Auth If MatchedRequire a valid JWT. Reject requests without a token or with an invalid token.Allow requests with a valid JWT or no JWT. Reject invalid tokens.
    Bypass Auth If MatchedAllow requests with a valid JWT or no JWT. Reject invalid tokens.Require a valid JWT. Reject requests without a token or with an invalid token.

    The distinction between "no token" and "invalid token" matters. A request without a JWT may pass through depending on match mode and path. A request with an invalid JWT is always rejected.

    Prerequisites

    Before you begin, make sure that you have:

    Step 1: Create a JWT authentication policy

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose Mesh Security Center > ASMSecurityPolicy.

    3. On the ASMSecurityPolicy page, click Create.

    4. In the Create ASMSecurityPolicy dialog box, click JWT, and then click OK.

    5. In the JWT Config step, configure the following parameters and click Next. JWKS key value used in this example:

      This example uses a demo issuer and JWKS from Istio samples. In production, replace these with values from your identity provider (Okta, Auth0, Keycloak, or similar). Set Issuer to your provider's issuer URL and Key to the JWKS from your provider's /.well-known/jwks.json endpoint.

      ParameterExample value
      ASMSecurityPolicyNametest-jwt
      Certification Rules > Issuertesting@secure.istio.io
      JWKS Sourcejwks
      KeySee the JWKS key below.
         { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}

    6. In the Workload and Match Rules step, click Add Workload Group. In the New Workload Group dialog box, configure the following parameters, click OK, and then click Submit. Match rules for this example: With Auth If Matched and these two rules, ASM requires a valid JWT for any request whose path starts with /static or /api. Requests to other paths (such as /productpage) are allowed through with or without a JWT, but requests carrying an invalid JWT are still rejected.

      ParameterDescription
      Workload Group NameEnter test-policy.
      Workload ListClick Add Workload. In the Add Workload dialog box, select Gateway Scope, in the Select workloads box, select the target workload, click the Add icon to move it to the selected box, and then click OK.
      Match Rule ListSelect Auth If Matched as the match mode, set Matching Rules to Custom Matching Rules, click Add Match Rule, and then turn on the Path switch to add each of the following rules:
      RulePath
      Rule 1/static/*
      Rule 2/api/*

      Match rules configuration

    7. In the Complete step, confirm that the "ASMSecurityPolicy Creation successfully" message appears. Click YAML to review the generated RequestAuthentication and AuthorizationPolicy resources, or click Complete to return to the ASMSecurityPolicy page.

    Step 2: Verify the JWT authentication policy

    Run the following commands to test three scenarios: no token, an invalid token, and a valid token.

    Test without a JWT:

    # /productpage is not in the match rules, so requests without a JWT are allowed.
curl -I http://<ingress-gateway-ip>/productpage
# Expected: 200

# /api/* matches a rule with Auth If Matched, so requests without a JWT are rejected.
curl -I http://<ingress-gateway-ip>/api/v1/products/1
# Expected: 403

# /static/* matches a rule with Auth If Matched, so requests without a JWT are rejected.
curl -I http://<ingress-gateway-ip>/static/jquery.min.js
# Expected: 403

    Test with an invalid JWT:

    # An invalid token is rejected on all paths, regardless of match rules.
curl -I http://<ingress-gateway-ip>/productpage -H "Authorization: Bearer invalid-token"
# Expected: 401

curl -I http://<ingress-gateway-ip>/api/v1/products/1 -H "Authorization: Bearer invalid-token"
# Expected: 401

    Test with a valid JWT:

    # Set the test token.
TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg

# All paths return 200 with a valid token.
curl -I http://<ingress-gateway-ip>/productpage -H "Authorization: Bearer $TOKEN"
# Expected: 200

curl -I http://<ingress-gateway-ip>/api/v1/products/1 -H "Authorization: Bearer $TOKEN"
# Expected: 200

curl -I http://<ingress-gateway-ip>/static/jquery.min.js -H "Authorization: Bearer $TOKEN"
# Expected: 200

    The following table summarizes the expected results:

    PathNo JWTInvalid JWTValid JWT
    /productpage200 (not matched)401200
    /api/v1/products/1403 (matched)401200
    /static/jquery.min.js403 (matched)401200

    Step 3: Modify the match mode and rules

    To change the policy behavior, update the match mode and path rules.

    1. On the ASMSecurityPolicy page, find the JWT authentication policy and click Edit in the Actions column.

    2. In the JWT Config step, click Next.

    3. In the Workload and Match Rules step, find the workload group and click Edit in the Operator column.

    4. In the New Workload Group dialog box, update the following settings, click OK, and then click Submit. With Bypass Auth If Matched and the /static/* rule, ASM now allows requests to /static/* paths without a JWT (or with a valid JWT) but requires a valid JWT for all other paths.

      ParameterUpdated value
      Match ModeBypass Auth If Matched
      Matching RulesRemove the /api/* rule. Keep only /static/*.

      Modified match rules configuration

    Step 4: Verify the updated policy

    Run the following commands to confirm the updated behavior.

    Test without a JWT:

    # /productpage is not in the match rules. With Bypass Auth If Matched, unmatched paths require a valid JWT.
curl -I http://<ingress-gateway-ip>/productpage
# Expected: 403

# /api/* is no longer in the match rules. Unmatched paths require a valid JWT.
curl -I http://<ingress-gateway-ip>/api/v1/products/1
# Expected: 403

# /static/* matches the rule. With Bypass Auth If Matched, matched paths allow requests without a JWT.
curl -I http://<ingress-gateway-ip>/static/jquery.min.js
# Expected: 200

    Test with an invalid JWT:

    # An invalid token is still rejected on all paths.
curl -I http://<ingress-gateway-ip>/productpage -H "Authorization: Bearer invalid-token"
# Expected: 401

curl -I http://<ingress-gateway-ip>/static/jquery.min.js -H "Authorization: Bearer invalid-token"
# Expected: 401

    Test with a valid JWT:

    TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg

# All paths return 200 with a valid token.
curl -I http://<ingress-gateway-ip>/productpage -H "Authorization: Bearer $TOKEN"
# Expected: 200

curl -I http://<ingress-gateway-ip>/api/v1/products/1 -H "Authorization: Bearer $TOKEN"
# Expected: 200

curl -I http://<ingress-gateway-ip>/static/jquery.min.js -H "Authorization: Bearer $TOKEN"
# Expected: 200

    The following table summarizes the expected results after the update:

    PathNo JWTInvalid JWTValid JWT
    /productpage403 (not matched)401200
    /api/v1/products/1403 (not matched)401200
    /static/jquery.min.js200 (matched)401200

    References