Hi.
I`m trying to use okta and aws alb, istio to authenticate internal office web application using Okta.
I`ll summarize my test environment.
-
Okta : XXXX.okta.com
-
ALB : OIDC Configuration with Okta OIDC Application
-
Istio
RequestAuthentication
AuthorizationPolicy
[Flow]
User access to app → Okta Redirect → Okta Login → Can Access to app
Browser (Chrome, etc) → AWS ALB → Istio Gateway → Pod(httpbin)
- Okta + AWS ALB : Success.
But The application seems to be working well after Okta login without a session or cookie, but it seems to be unstable after session timeout expired.
- Okta + Istio : Not succeed.
I referred to many documents and blogs.
I think Istio Proxy pod does not receive JWT related metadata.
2.1 Configuration
I set up these istio configurations.
and i set RequestAuthentication`s issuer and jwksUri from below url
https://XXXXX.okta.com/.well-known/openid-configuration
I wanted to redirect to okta when jwt token does not exist using AuthoricationPolicy.
so i set from - requestPrinciples to https://XXX.okta.com/*
2.1.1 RequestAuthentication
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: okta-aws-nginx
namespace: oktademo
spec:
selector:
matchLabels:
app: nginx
jwtRules:
- issuer: "https://XXXX.okta.com"
jwksUri: "https://XXXX.okta.com/oauth2/v1/keys"
# forwardOriginalToken: true
# fromHeaders:
# - name: x-amzn-oidc-accesstoken
2.1.2 AuthoricationPolicy
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: okta-aws-nginx
namespace: oktademo
spec:
selector:
matchLabels:
app: nginx
action: ALLOW
# rules:
# - when:
# - key: request.auth.claims[iss]
# values: ["*"]
rules:
- from:
- source:
requestPrincipals:
- "https://XXXXX.okta.com/*"
- Related failed logs
But it fails.
[1] Failed view
[2]
enforce denied
Is there any issue on my configuration about issuer Endpoint or jwksuri or anything else?
It seems that jwt metadata is not being delivered from okta to the isio proxy pod. I don’t know how to check. Thank you.
Or you can tell me an approach other than this one.
My purpose is just to implement application authentication through Okta.
It doesn’t matter if it’s aws alb or istio.
thanks,.