1

I have a container which runs an http/rest service that requires basic auth. I have istio configured to service requests to this container. The service runs correctly on a cluster without istio.

When querying the service with curl istio-envoy returns with status 401 and message "Full authentication is required to access this resource".

I can get the same error by logging into the container and querying localhost with no authentication details provided. So by all appearances it seems istio is not forwarding on the basic authentication header.

The container log never acknowledges the login attempt, I only see a 401 log message in the envoy container.

I have tried with both mtls enabled and disabled. The gateway listens on port 443 and forwards to the service on port 80

how do I configure istio to forward basic auth to my container

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: mfm-gateway
  namespace: mfm-istio
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
      - dev-mfm-istio.testing.co.uk
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/testing-co-uk-certs/tls.crt
      privateKey: /etc/istio/testing-co-uk-certs/tls.key
      caCertificates: /etc/istio/testing-co-uk-certs/ca.crt
      httpsRedirect: true

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: mfm-virtualservice
  namespace: mfm-istio
spec:
  hosts:
  - "dev-mfm-istio.testing.co.uk"
  gateways:
  - mfm-istio/mfm-gateway
  http:
  - name: "Auth"
    match:
    -  uri:
         prefix: "/auth"
    route:
    - destination:
        host: authentication-service.mfm-istio.svc.cluster.local
        port:
          number: 80
  - name: "Base"
    route:
    - destination:
        host: web-application-service.mfm-istio.svc.cluster.local
        port:
          number: 80

localhost: curl -ik https://dev-mfm-istio.testing.co.uk/auth/oauth/token -d username=admin -d password=lolpassword -d grant_type=password -d scope=a -H -u admin

HTTP/2 401 
pragma: no-cache
www-authenticate: Bearer realm="authentication-service", error="unauthorized", error_description="Full authentication is required to access this resource"
cache-control: no-store
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: DENY
content-type: application/json;charset=UTF-8
date: Fri, 17 Apr 2020 13:51:43 GMT
x-envoy-upstream-service-time: 4
server: istio-envoy

{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
nick robinson
  • 59
  • 2
  • 8
  • As far as I can see you use jwt with auth0 as an authenticator, am I right? Have you followed any tutorial to make it work? Based on istio code on [github](https://github.com/istio/proxy/blob/5789f684ac335043e42b4a0242b42d4f48c3a0cd/src/envoy/http/jwt_auth/http_filter.cc?fbclid=IwAR1cZbGzD8pTfCNaAkTSCamRYfcvdIlUW-JU7fW0SuV2uRxDryuzI75QFHs#L59-L75) seems like there are some issues with jwt status.You can turn on debug level in the filter to see what went wrong. Follow the conversation [here](https://github.com/istio/istio/issues/15122). – Jakub Apr 20 '20 at 09:48
  • thanks for the reply. yes the container has a jwt implementation via spring boot. but this is separate from istio, I don't particularly want to implement jwt in istio or have istio do the auth, i want the container to handle the auth but the sidecar doesnt seem to co-operate. i dont know if this is a limitation or is i just dont understand istio well enough – nick robinson Apr 20 '20 at 20:14
  • It works without istio? Could you try to add Policy as mentioned [here](https://www.citrix.com/blogs/2020/03/19/end-user-authentication-in-istio-service-mesh-with-citrix/) for your gateway with your issuer and jwkUri? There is [istio documentation](https://istio.io/docs/tasks/security/authorization/authz-jwt/). If that won't work i would rather focus on the jwt implementation via spring boot.Have you tried to find a solution for the error from curl?For example [here](https://stackoverflow.com/questions/26881296/spring-security-oauth2-full-authentication-is-required-to-access-this-resource)? – Jakub Apr 21 '20 at 08:55
  • this works without istio and also on linkerd. one sticking point is that jwkuri, we cant expose one, and i dont want istio to do the auth, it needs to be handled by the app. the issue is almost certainly with envoy, im reluctant to add elaborate filters for something so simple but it seems to be the only solution – nick robinson Apr 21 '20 at 13:03
  • 1
    AFAIK if you add the [policy](https://istio.io/docs/reference/config/security/istio.authentication.v1alpha1/), which defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal, it should allow jwt from springboot to do the authentication in istio. Check [this](https://istio.io/docs/ops/common-problems/security-issues/#end-user-authentication-fails). – Jakub Apr 21 '20 at 13:16

1 Answers1

0

AFAIK ff your container has a jwt implementation via spring boot, seperate from istio, you should add the policy in istio, which defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal.

It should allow jwt from springboot to do the authentication in istio.

Useful links about istio policy for jwt.

Useful link about the error

{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

To check exactly what caused a 401, when using JWT authentication you can follow this github issue.

Jakub
  • 8,189
  • 1
  • 17
  • 31