Keycloak 21 and Istio 1.17 return 401 Invalid Token - Jwt issuer is not configured

194 views
Skip to first unread message

Jonathan Vila López

unread,
Feb 27, 2023, 3:31:43 AM2/27/23
to Keycloak User

I have installed istio and keycloak (ns keycloak) in a minikube.

Created a RequestAuthentication and a AuthorizationPolicy:

apiVersion: security.istio.io/v1beta1 
kind: RequestAuthentication
metadata: name: requestauth
namespace: default
spec:
   selector:
     matchLabels:
       app: quarkus
   jwtRules:
     - issuer: "http://keycloak.keycloak.svc.cluster.local:8080/realms/demo"
       jwksUri: "http://keycloak.keycloak.svc.cluster.local:8080/realms/demo/protocol/openid-connect/certs"
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: authpolicy
  namespace: default
spec:
  selector:
    matchLabels:
      app: quarkus
  rules:
    - from:
      - source: requestPrincipals: ["*"]

And after getting the token :

curl \ -sk \ --data "username=quarkus&password=quarkuspwd&grant_type=password&client_id=istio" \ https://keycloak.192.168.49.2.nip.io/realms/demo/protocol/openid-connect/token \ | jq ".access_token"

I do a call to my service :

curl -sv -H "Authorization: Bearer $token" "http://$GATEWAY_URL/echo/productpage"

it always return an error :

* Trying 10.98.21.200:80... * Connected to 10.98.21.200 (10.98.21.200) port 80 (#0) > GET /echo/productpage HTTP/1.1 > Host: 10.98.21.200 > User-Agent: curl/7.87.0 > Accept: */* > Authorization: Bearer eyJhbG........ > * Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < www-authenticate: Bearer realm="http://10.98.21.200/echo/productpage", error="invalid_token" < content-length: 28 < content-type: text/plain < date: Fri, 24 Feb 2023 17:12:33 GMT < server: istio-envoy < * Connection #0 to host 10.98.21.200 left intact Jwt issuer is not configured%

If I send a wrong header in the call :

curl -sv -H "AuthorizationXX: Bearer $token" "http://$GATEWAY_URL/echo/productpage"

I receive as expected , an RBAC error:

* Mark bundle as not supporting multiuse < HTTP/1.1 403 Forbidden < content-length: 19 < content-type: text/plain < date: Sun, 26 Feb 2023 11:39:30 GMT < server: istio-envoy < x-envoy-upstream-service-time: 14 < * Connection #0 to host 10.98.21.200 left intact RBAC: access denied%

Jonathan Vila López

unread,
Feb 27, 2023, 4:14:56 AM2/27/23
to Keycloak User
I have checked with other JWT sources and apparently is not anything related to keycloak.

My apologies.

Reply all
Reply to author
Forward
0 new messages