RequestAuthentication
RequestAuthentication
RequestAuthentication defines what request authentication methods are supported by a workload. It will reject a request if the request contains invalid authentication information, based on the configured authentication rules. A request that does not contain any authentication credentials will be accepted but will not have any authenticated identity. To restrict access to authenticated requests only, this should be accompanied by an authorization rule. Examples:
- Require JWT for all request for workloads that have label
app:httpbin
- A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces in a mesh. The following policy makes all workloads only accept requests that contain a valid JWT token.
- The next example shows how to set a different JWT requirement for a different
host
. TheRequestAuthentication
declares it can accept JWTs issued by eitherissuer-foo
orissuer-bar
(the public key set is implicitly set from the OpenID Connect spec).
- You can fine tune the authorization policy to set different requirement per path. For example,
to require JWT on all paths, except /healthz, the same
RequestAuthentication
can be used, but the authorization policy could be:
[Experimental] Routing based on derived metadata5 is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request. Currently this feature is only supported for the following metadata:
request.auth.claims.{claim-name}[.{nested-claim}]*
which are extracted from validated JWT tokens. Use the.
or[]
as a separator for nested claim names. Examples:request.auth.claims.sub
,request.auth.claims.name.givenName
andrequest.auth.claims[foo.com/name]
. For more information, see JWT claim based routing6.
The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
- RequestAuthentication to decode and validate a JWT. This also makes the
@request.auth.claims
available for use in the VirtualService. - AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
- VirtualService to route the request based on the “sub” claim.