Logo

jwt

A JSON Web Token (JWT) is a type of authentication token used to identify a user to a server application. JWTs contain information about the client caller, and can be used as part of a client session architecture. A JSON Web Key Set (JWKS) contains the cryptographic keys used to verify incoming JWTs.

You can use Istio’s Authentication API to configure JWT policies for your services.

jwt

In this example, we require a JWT for all routes in the frontend service except for the home page (/) and the pod health check (/_healthz).

In the Istio policy, we specify the path to a test public key (jwksUri), which will be mounted into the frontend’s sidecar proxy. All unauthenticated requests will receive a 401 - Unauthorized status from Envoy.

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: "frontend-jwt"
spec:
  targets:
  - name: frontend
  origins:
  - jwt:
      issuer: "testing@secure.istio.io"
      jwksUri: "https://raw.githubusercontent.com/istio/istio/release-1.2/security/tools/jwt/samples/jwks.json"
      trigger_rules:
      - excluded_paths:
        - exact: /_healthz
        - exact: /
  principalBinding: USE_ORIGIN

To learn more and try interactive examples, see the Istio docs and the istio-samples repo.