Hello, I am trying to configure an Istio EnvoyFilter with the oAuth2 filter. Unfortunately fails the flow with the error: “Jwks doesn’t have key to match kid or alg from Jwt”.
Here is the config:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: snoauth-test
namespace: test
spec:
selector:
matchLabels:
app: snoauth-test
jwtRules:
- issuer: "https://myorg.oktapreview.com"
jwksUri: "https://myorg.oktapreview.com/oauth2/v1/keys"
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: snoauth-test
namespace: test
spec:
selector:
matchLabels:
app: snoauth-test
action: DENY
rules:
- from:
- source:
notRequestPrincipals: ["*"]
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: myoauth-test
namespace: test
spec:
workloadSelector:
labels:
app: snoauth-test
configPatches:
- applyTo: CLUSTER
match:
cluster:
service: oauth
patch:
operation: ADD
value:
name: oauth
connect_timeout: 2s
type: LOGICAL_DNS
lb_policy: ROUND_ROBIN
load_assignment:
cluster_name: oauth
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: myorg.oktapreview.com
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: myorg.oktapreview.com
- applyTo: HTTP_FILTER
match:
context: SIDECAR_INBOUND
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
subFilter:
name: "envoy.filters.http.jwt_authn"
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
config:
token_endpoint:
cluster: oauth
uri: "https://myorg.oktapreview.com/oauth2/v1/token"
timeout: 5s
authorization_endpoint: "https://myorg.oktapreview.com/oauth2/v1/authorize"
redirect_uri: "https://snoauth-test.apps.k8s-dev.myorg.io/callback"
redirect_path_matcher:
path:
exact: /callback
signout_path:
path:
exact: /signout
forward_bearer_token: true
auth_scopes:
- openid
- profile
credentials:
client_id: xxx
token_secret:
name: token
sds_config:
path: "/etc/istio/config/token-secret.yaml"
hmac_secret:
name: hmac
sds_config:
path: "/etc/istio/config/hmac-secret.yaml"
It seems I can login and get an id and access token, but then the jwt verification fails. Looking at the access token:
{
"alg": "RS256"
"kid": "SAVWRVwZbyO-NvGhH8YfW9XAiKxDxzums4Qn8wBLOUw",
}
{
"aud": "https://myorg.oktapreview.com",
"cid": "xxx",
"exp": 1651828516,
"iat": 1651824916,
"iss": "https://myorg.oktapreview.com",
"jti": "xxx",
"sub": "user@myorg.com",
"uid": "xxx",
"ver": 1,
"scp": [
"openid"
],
"auth_time": 1651824914
}
the kid from the access token is not in configured jwksUri: https://myorg.oktapreview.com/oauth2/v1/keys
Any idea whats wrong here?