Trying Okta OIDC + AWS ALB + Istio, but does not work AuthorizationPolicy

Questions
1

Hi.
I`m trying to use okta and aws alb, istio to authenticate internal office web application using Okta.

I`ll summarize my test environment.

  • Okta : XXXX.okta.com

  • ALB : OIDC Configuration with Okta OIDC Application

  • Istio
    RequestAuthentication
    AuthorizationPolicy

[Flow]

User access to app → Okta Redirect → Okta Login → Can Access to app

Browser (Chrome, etc) → AWS ALB → Istio Gateway → Pod(httpbin)

  1. Okta + AWS ALB : Success.

But The application seems to be working well after Okta login without a session or cookie, but it seems to be unstable after session timeout expired.

  1. Okta + Istio : Not succeed.

I referred to many documents and blogs.

I think Istio Proxy pod does not receive JWT related metadata.

2.1 Configuration

I set up these istio configurations.

and i set RequestAuthentication`s issuer and jwksUri from below url
https://XXXXX.okta.com/.well-known/openid-configuration

I wanted to redirect to okta when jwt token does not exist using AuthoricationPolicy.

so i set from - requestPrinciples to https://XXX.okta.com/*

2.1.1 RequestAuthentication

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: okta-aws-nginx
  namespace: oktademo
spec:
  selector:
    matchLabels:
      app: nginx
  jwtRules:
    - issuer: "https://XXXX.okta.com"
      jwksUri: "https://XXXX.okta.com/oauth2/v1/keys"
#      forwardOriginalToken: true
#      fromHeaders:
#        - name: x-amzn-oidc-accesstoken

2.1.2 AuthoricationPolicy

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: okta-aws-nginx
  namespace: oktademo
spec:
  selector:
    matchLabels:
      app: nginx
  action: ALLOW
#  rules:
#    - when:
#        - key: request.auth.claims[iss]
#          values: ["*"]
  rules:
    - from:
        - source:
            requestPrincipals:
              - "https://XXXXX.okta.com/*"
  1. Related failed logs

But it fails.

[1] Failed view

image
image903×151 12.2 KB

[2]

enforce denied

image
image1314×213 42.7 KB

Is there any issue on my configuration about issuer Endpoint or jwksuri or anything else?

It seems that jwt metadata is not being delivered from okta to the isio proxy pod. I don’t know how to check. Thank you.

Or you can tell me an approach other than this one.

My purpose is just to implement application authentication through Okta.

It doesn’t matter if it’s aws alb or istio.

thanks,.