I followed this blog how to create authentication with Istio and Keycloak https://www.dangtrinh.com/2019/08/end-user-authentication-with-istio-and.html
I can retrieve access token but curl gives 401 while using keycloak jwksUri: "http://keycloak/auth/realms/istio/protocol/openid-connect/certs"
.
Please suggest what I can check or verify to understand what is missing for Keycloak
(instead of example.com I use real FQDN)
TOKEN=$(curl -s -d "audience=istio" -d "client_secret=XXXXXXX-XXXXXX-XXXXXX" -d "client_id=istio" -d "grant_type=client_credentials" "http://keycloak.example.com/auth/realms/istio/protocol/openid-connect/token" | jq -r ".access_token")
curl -svI http://$INGRESS/login --header "Authorization: Bearer ${TOKEN}" -H "host: app.example.com"
With Istio example jwksUri
in istio Policy https://raw.githubusercontent.com/istio/istio/release-1.3/security/tools/jwt/samples/jwks.json
it works.
401 resonse:
apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
name: "jwt-keycloak"
spec:
targets:
- name: app-service
peers:
- mtls: {}
origins:
- jwt:
issuer: "http://keycloak/auth/realms/istio"
jwksUri: "http://keycloak/auth/realms/istio/protocol/openid-connect/certs"
audiences:
- istio
principalBinding: USE_ORIGIN
200 resonse:
kind: Policy
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"authentication.istio.io/v1alpha1","kind":"Policy","metadata":{"annotations":{},"name":"jwt-example","namespace":"foo"},"spec":{"origins":[{"jwt":{"issuer":"testing@secure.istio.io","jwksUri":"https://raw.githubusercontent.com/istio/istio/release-1.3/security/tools/jwt/samples/jwks.json"}}],"peers":[{"mtls":{}}],"principalBinding":"USE_ORIGIN","targets":[{"name":"httpbin"}]}}
name: jwt-example
selfLink: /apis/authentication.istio.io/v1alpha1/namespaces/foo/policies/jwt-example
spec:
origins:
- jwt:
issuer: testing@secure.istio.io
jwksUri: https://raw.githubusercontent.com/istio/istio/release-1.3/security/tools/jwt/samples/jwks.json
peers:
- mtls: {}
principalBinding: USE_ORIGIN
targets:
- name: app-service