authservice
authservice copied to clipboard
Use new authN api in our bookinfo example
Per @rshriram's suggestion in the istio slack, we should update https://github.com/istio-ecosystem/authservice/blob/master/bookinfo-example/config/bookinfo-authn-policy-template-adding-reviews.yaml to use the new authN api
I believe it's called RequestAuthentication. Should be a pretty small fix.
I believe they will look something like this. Can anyone confirm? I am having trouble determining if I have misconfigured the RequestAuthentication and AuthorizationPolicy.
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: bookinfo-productpage
namespace: bookinfo
spec:
selector:
matchLabels:
app: productpage
jwtRules:
- issuer: https://kubernetes.docker.internal/auth/realms/example
jwksUri: https://kubernetes.docker.internal/auth/realms/example/protocol/openid-connect/certs
principalBinding: USE_ORIGIN
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: bookinfo-productpage
namespace: bookinfo
spec:
selector:
matchLabels:
app: productpage
# rules:
# - from:
# - source:
# requestPrincipals: ["*"]
Second, I am using Keycloak as my OIDC provider. You can see my JWT Issuer rules in the RequestAuthentication
resource above. If these lines are commented out, /productpage
will return a 403. If they are NOT commented out, /productpage
will return a 200. This seems strange to me as the docs suggest I should expect a 401 when requests are being denied. Furthermore, why are requests being allowed when I add the JWT rule and denied when it is absent?