End-user authentication with JWT
In this chapter, we are going to see how to enable authenticating end user with Istio.
Enabling End-User Authentication
Now it is time to enable end-user authentication.
The first thing you need to do is to make a request to customer
and validate that it is still possible to communicate between all services without authentication.
curl $customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4
Then run:
Then let’s run the curl again:
curl $customer
Origin authentication failed.
And now the communication is not possible because the user has not been identified (provides a valid JWT token).
To get a correct token, just run next curl
request.
token=$(curl https://raw.githubusercontent.com/Sfeir/kubernetes-istio-workshop/master/manifests/istio/security/end-user_authentication/token.jwt -s)
echo $token
Then let’s repeat the request but passing the token stored in token
variable.
curl -H "Authorization: Bearer $token" $customer
customer => preference => recommendation v1 from 'b4d67bcb7-7rp88': 4
Now just change some part of the token and send the request again, you’ll notice that request is refused.
In this chapter you’ve seen how to enable end-user authentication with JWT. Obviously, you should also keep enabled mTLS to avoid any attacker could take the token. |