I have installed istio and keycloak (ns keycloak) in a minikube.
Created a RequestAuthentication and a AuthorizationPolicy:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: requestauth
namespace: default
spec:
selector:
matchLabels:
app: quarkus
jwtRules:
- issuer: "http://keycloak.keycloak.svc.cluster.local:8080/realms/demo"
jwksUri: "http://keycloak.keycloak.svc.cluster.local:8080/realms/demo/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: authpolicy
namespace: default
spec:
selector:
matchLabels:
app: quarkus
rules:
- from:
- source:
requestPrincipals: ["*"]
And after getting the token :
curl \
-sk \
--data "username=quarkus&password=quarkuspwd&grant_type=password&client_id=istio" \
https://keycloak.192.168.49.2.nip.io/realms/demo/protocol/openid-connect/token \
| jq ".access_token"
I do a call to my service :
curl -sv -H "Authorization: Bearer $token" "http://$GATEWAY_URL/echo/productpage"
it always return an error :
* Trying 10.98.21.200:80...
* Connected to 10.98.21.200 (10.98.21.200) port 80 (#0)
> GET /echo/productpage HTTP/1.1
> Host: 10.98.21.200
> User-Agent: curl/7.87.0
> Accept: */*
> Authorization: Bearer eyJhbG........
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< www-authenticate: Bearer realm="http://10.98.21.200/echo/productpage", error="invalid_token"
< content-length: 28
< content-type: text/plain
< date: Fri, 24 Feb 2023 17:12:33 GMT
< server: istio-envoy
<
* Connection #0 to host 10.98.21.200 left intact
Jwt issuer is not configured%
If I send a wrong header in the call :
curl -sv -H "AuthorizationXX: Bearer $token" "http://$GATEWAY_URL/echo/productpage"
I receive as expected , an RBAC error:
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< content-length: 19
< content-type: text/plain
< date: Sun, 26 Feb 2023 11:39:30 GMT
< server: istio-envoy
< x-envoy-upstream-service-time: 14
<
* Connection #0 to host 10.98.21.200 left intact
RBAC: access denied%