Alibaba Cloud Service Mesh:Configure JWT-based authentication on an ingress gateway

Background information

JWTs are commonly used to authenticate users. A JWT carries user information and a field that stores encrypted user information. When you implement JWT-based authentication, the encrypted user information is decrypted and compared with the input user information. This verifies the user identity. For more information, see JWT.

Procedure

1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

2. On the Mesh Management page, click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

3. On the Ingress Gateway page, click the name of the ingress gateway that you want to use.

4. In the Gateway overview navigation pane, choose Gateway Security > JWT certification.

5. In the JWT Config step of the configuration wizard, turn on Enable gateway JWT authentication, configure the related parameters, and then click Next.

   Parameter	Description
   Issuer	The issuer of the JWT. In this example, the parameter is set to testing@secure.istio.io.
   JWKS Source	The JSON Web Key Set (JWKS) that is used to verify JWTs. In this example, jwks is selected.
   Key	Example value: { "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}
   AdvancedConfig	Click AdvancedConfig. In the JWT Rules Advanced Options dialog box, set JWTToken Position, JWT Passthrough, and Transmit Payload through Header based on your requirements. Click OK.

6. In the Matching Rules step of the configuration wizard, configure the parameters and click Submit.

   Parameter	Description
   Match Mode	In this example, Auth If Matched is selected. Valid values: Auth If Matched: JWT-based authentication is performed on the specified requests. Bypass Auth If Matched: JWT-based authentication is not required for the specified requests.
   Matching Rules	Select Custom Matching Rules, turn on Path, and then set this parameter to /productpage. This configuration indicates that requests to the /productpage path must pass JWT-based authentication. Requests to other paths are not required to pass JWT-based authentication. Note In this case, requests to access other paths are allowed if they do not carry JTWs or are denied if they carry invalid JWTs.

   Then, a message that indicates JWT-based authentication is successfully configured appears, and native Istio security resources are displayed. You can click YAML to view the resource configurations.

7. Verify whether the JWT-based authentication configuration takes effect.

   1. Run the following command to configure environment variables:

      TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6IkRIRmJwb0lVcXJZOHQyenBBMnFYZkNtcjVWTzVaRXI0UnpIVV8tZW52dlEiLCJ0eXAiOiJKV1QifQ.eyJleHAiOjQ2ODU5ODk3MDAsImZvbyI6ImJhciIsImlhdCI6MTUzMjM4OTcwMCwiaXNzIjoidGVzdGluZ0BzZWN1cmUuaXN0aW8uaW8iLCJzdWIiOiJ0ZXN0aW5nQHNlY3VyZS5pc3Rpby5pbyJ9.CfNnxWP2tcnR9q0vxyxweaF3ovQYHYZl82hAUsn21bwQd9zP7c-LS9qd_vpdLG4Tn1A15NxfCjp5f7QNBUo-KC9PJqYpgGbaXhaGx7bEdFWjcwv3nZzvc7M__ZpaCERdwU7igUmJqYGBYQ51vr2njU9ZimyKkfDe3axcyiBZde7G6dabliUosJvvKOPcKIWPccCgefSj_GNfwIip3-SsFdlR7BtbVUcqR-yv-XOxJ3Uc1MI0tz3uMiiZcyPV7sNCU4KRnemRIMHVOfuvHsU60_GhGbiSFzgPTAa9WTltbnarTbxudb_YEOx12JiwYToeX0DCPb43W1tzIBxgm8NxUg

   2. Run the following commands to perform access tests:

      • Test 1: Send a request that carries a valid JWT to access the /productpage path.

        curl -I http://${IP address of the ASM gateway}/productpage -H "Authorization: Bearer $TOKEN"

        Sample output:

        HTTP/1.1 200 OK
        content-type: text/html; charset=utf-8
        content-length: 4294
        server: istio-envoy
        date: Tue, 17 Jan 2023 08:47:34 GMT
        x-envoy-upstream-service-time: 17

      • Test 2: Send a request that carries no JWT to access the /productpage path.

        curl -I http://${IP address of the ASM gateway}/productpage

        Sample output:

        HTTP/1.1 403 Forbidden
        content-length: 19
        content-type: text/plain
        date: Tue, 17 Jan 2023 08:50:31 GMT
        server: istio-envoy

      • Test 3: Send a request that carries an invalid JWT to access the /productpage path.

        curl -I http://${IP address of the ASM gateway}/productpage -H "Authorization: Bearer invalid token"

        Sample output:

        HTTP/1.1 401 Unauthorized
        www-authenticate: Bearer realm="http://114.55.XXX.XXX/productpage", error="invalid_token"
        content-length: 79
        content-type: text/plain
        date: Tue, 17 Jan 2023 08:51:47 GMT
        server: istio-envoy

      • Test 4: Send a request that carries no JWT to access another path.

        curl -I http://${IP address of the ASM gateway}/api/v1/products/1  

        HTTP/1.1 200 OK
        content-type: application/json
        content-length: 195
        server: istio-envoy
        date: Tue, 17 Jan 2023 08:55:10 GMT
        x-envoy-upstream-service-time: 16

      The following table describes the test results. The test results meet expectations, which indicates that JWT-based authentication takes effect.

      Access test	Access allowed?
      Send a request that carries a valid JWT to access the /productpage path.	Yes
      Send a request that carries no JWT to access the /productpage path.	No
      Send a request that carries an invalid JWT to access the /productpage path.	No
      Send a request that carries no JWT to access another path.	Yes

References

• You can customize the content of access logs of an ASM gateway to detect potential security risks in a timely manner. For more information, see Configure the features of generating and collecting the access logs of an ASM gateway.

• You can enable the mesh audit feature to record or trace the daily operations of different users. You can also configure audit alerts for operations on ASM resources and send alert notifications to alert contacts in a timely manner when important resources change. For more information, see Use the KubeAPI operation audit feature in ASM and Configure audit alerts for operations on ASM resources.

• You can authenticate the JWTs in requests on an ingress gateway. A request must contain a valid JWT to access the destination service. For more information, see Configure JWT authentication for an ingress gateway in ASM.