End-user authentication with JWT

In this chapter, we are going to see how to enable authenticating end user with Istio.

Enabling End-User Authentication

Now it is time to enable end-user authentication.

The first thing you need to do is to make a request to customer and validate that it is still possible to communicate between all services without authentication.

curl $customer

customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Then run:

Then let’s run the curl again:

curl $customer

Origin authentication failed.

And now the communication is not possible because the user has not been identified (provides a valid JWT token).

To get a correct token, just run next curl request.

token=$(curl https://raw.githubusercontent.com/Sfeir/kubernetes-istio-workshop/master/manifests/istio/security/end-user_authentication/token.jwt -s)

echo $token

Then let’s repeat the request but passing the token stored in token variable.

curl -H "Authorization: Bearer $token" $customer

customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4

Now just change some part of the token and send the request again, you’ll notice that request is refused.

In this chapter you’ve seen how to enable end-user authentication with JWT.

Obviously, you should also keep enabled mTLS to avoid any attacker could take the token.