Copy JWT Claims to HTTP Headers

This feature is actively in development and is considered experimental.

This task shows you how to copy valid JWT claims to HTTP headers after JWT authentication is successfully completed via an Istio request authentication policy.

Only claims of type string, boolean, and integer are supported. Array type claims are not supported at this time.

Before you begin

Before you begin this task, do the following:

  • Familiarize yourself with Istio end user authentication support.

  • Install Istio using Istio installation guide.

  • Deploy httpbin and sleep workloads in namespace foo with sidecar injection enabled. Deploy the example namespace and workloads using these commands:

    ZipZip

    1. $ kubectl create ns foo
    2. $ kubectl label namespace foo istio-injection=enabled
    3. $ kubectl apply -f @samples/httpbin/httpbin.yaml@ -n foo
    4. $ kubectl apply -f @samples/sleep/sleep.yaml@ -n foo

  • Verify that sleep successfully communicates with httpbin using this command:

    1. $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl http://httpbin.foo:8000/ip -sS -o /dev/null -w "%{http_code}\n"
    2. 200

    If you don’t see the expected output, retry after a few seconds. Caching and propagation can cause a delay.

Allow requests with valid JWT and list-typed claims

  1. The following command creates the jwt-example request authentication policy for the httpbin workload in the foo namespace. This policy accepts a JWT issued by testing@secure.istio.io and copies the value of claim foo to an HTTP header X-Jwt-Claim-Foo:

    1. $ kubectl apply -f - <<EOF
    2. apiVersion: security.istio.io/v1beta1
    3. kind: RequestAuthentication
    4. metadata:
    5.   name: "jwt-example"
    6.   namespace: foo
    7. spec:
    8.   selector:
    9.     matchLabels:
    10.       app: httpbin
    11.   jwtRules:
    12.   - issuer: "testing@secure.istio.io"
    13.     jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.18/security/tools/jwt/samples/jwks.json"
    14.     outputClaimToHeaders:
    15.     - header: "x-jwt-claim-foo"
    16.       claim: "foo"
    17. EOF

  2. Verify that a request with an invalid JWT is denied:

    1. $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer invalidToken" -w "%{http_code}\n"
    2. 401

  3. Get the JWT which is issued by testing@secure.istio.io and has a claim with key foo.

    1. $ TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/release-1.18/security/tools/jwt/samples/demo.jwt -s) && echo "$TOKEN" | cut -d '.' -f2 - | base64 --decode -
    2. {"exp":4685989700,"foo":"bar","iat":1532389700,"iss":"testing@secure.istio.io","sub":"testing@secure.istio.io"}

  4. Verify that a request with a valid JWT is allowed:

    1. $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -o /dev/null -H "Authorization: Bearer $TOKEN" -w "%{http_code}\n"
    2. 200

  5. Verify that a request contains a valid HTTP header with JWT claim value:

    1. $ kubectl exec "$(kubectl get pod -l app=sleep -n foo -o jsonpath={.items..metadata.name})" -c sleep -n foo -- curl "http://httpbin.foo:8000/headers" -sS -H "Authorization: Bearer $TOKEN" | grep "X-Jwt-Claim-Foo" | sed -e 's/^[ \t]*//'
    2. "X-Jwt-Claim-Foo": "bar"

Clean up

Remove the namespace foo:

  1. $ kubectl delete namespace foo