End-user authentication with JWT

./scripts/clean.sh

In this chapter, we are going to see how to enable authenticating end user with Istio.At the time of writing this chapter, only the JWT mechanism is supported.

Enabling User-End Authentication

Now it is time to enable end-user authentication.

The first thing you need to do is run curl istio-ingressgateway-istio-system.$(minishift ip).nip.io and validate that now it is still possible to communicate between all services without been authenticated.

curl http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Then run:

kubectl create -f istiofiles/enduser-authentication-jwt.yml

Then let’s run the curl again:

curl http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
Origin authentication failed.%`

And now the communication is not possible because the user has not been identified (provides a valid JWT token).

To get a correct token, just run next curl request.

token=$(curl https://gist.githubusercontent.com/lordofthejars/a02485d70c99eba70980e0a92b2c97ed/raw/f16b938464b01a2e721567217f672f11dc4ef565/token.simple.jwt -s)
echo $token

Then let’s repeat the request but passing the token stored in token variable.

curl -H "Authorization: Bearer $token" http://istio-ingressgateway-istio-system.$(minishift ip).nip.io/customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Now just change some part of the token and send the request again, you’ll notice that request is refused.

Clean Up

kubectl delete -f istiofiles/enduser-authentication-jwt.yml