End-user authentication with Istio and KeyCloak

Getting advice
1

I followed this blog how to create authentication with Istio and Keycloak https://www.dangtrinh.com/2019/08/end-user-authentication-with-istio-and.html

I can retrieve access token but curl gives 401 while using keycloak jwksUri: "http://keycloak/auth/realms/istio/protocol/openid-connect/certs".

Please suggest what I can check or verify to understand what is missing for Keycloak

(instead of example.com I use real FQDN)

TOKEN=$(curl -s -d "audience=istio" -d "client_secret=XXXXXXX-XXXXXX-XXXXXX" -d "client_id=istio" -d "grant_type=client_credentials" "http://keycloak.example.com/auth/realms/istio/protocol/openid-connect/token" | jq -r ".access_token")

curl -svI http://$INGRESS/login --header "Authorization: Bearer ${TOKEN}" -H "host: app.example.com"

With Istio example jwksUri in istio Policy https://raw.githubusercontent.com/istio/istio/release-1.3/security/tools/jwt/samples/jwks.json it works.

401 resonse:

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "jwt-keycloak"
spec:
  targets:
  - name: app-service
  peers:
  - mtls: {}
  origins:
  - jwt:
      issuer: "http://keycloak/auth/realms/istio"
      jwksUri: "http://keycloak/auth/realms/istio/protocol/openid-connect/certs"
      audiences:
      - istio
  principalBinding: USE_ORIGIN

200 resonse:

kind: Policy
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"authentication.istio.io/v1alpha1","kind":"Policy","metadata":{"annotations":{},"name":"jwt-example","namespace":"foo"},"spec":{"origins":[{"jwt":{"issuer":"testing@secure.istio.io","jwksUri":"https://raw.githubusercontent.com/istio/istio/release-1.3/security/tools/jwt/samples/jwks.json"}}],"peers":[{"mtls":{}}],"principalBinding":"USE_ORIGIN","targets":[{"name":"httpbin"}]}}
  name: jwt-example
  selfLink: /apis/authentication.istio.io/v1alpha1/namespaces/foo/policies/jwt-example
spec:
  origins:
  - jwt:
      issuer: testing@secure.istio.io
      jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.3/security/tools/jwt/samples/jwks.json
  peers:
  - mtls: {}
  principalBinding: USE_ORIGIN
  targets:
  - name: app-service
2

Removing

      audiences:
      - istio

solved the issue but I’d like to know why it doesn’t work so. Any ideas?

Screenshot%20from%202019-11-14%2010-43-26
Screenshot%20from%202019-11-14%2010-43-26874×205 17.3 KB

3

Update: adding mapping for client id and audience helped. But why keycloak allows to use tokens without audience? As per RFC https://tools.ietf.org/html/rfc7519#section-4.1.3 this must be rejected