Use sidecar to translate opaque token to JWT in Istio
I consider if there is a way to use Istio to translate opaque token to JWT.
Use case: There are two services (service 1 which is consumer and service 2 which is producer) Service1 works with opaque token, Service2 can be authenticate & authorize with JWT token. To avoid adding Opaque token authentication in service2 I consider if we can use sidecar pattern (exactly in Istio) to get request (re1) from service1, extract authorization header, pass request (authReq1) to authorization server for exchange opaque token to JWT and then pass request (req1 but with JWT instead of original Opaque Token) to service2.
Edited answer: I see two option (option1, option2) but I am interested in option 3.
Option 1:
Option 2:
Option 3:
I consider if there is a way to use Istio to translate opaque token to JWT.
Unfortunately, Istio won't be able to translate the tokens. In your case, it seems to me that the easiest way is to get services in such a way that they work on one type of token.
Translation is possible, but not by Istio. Look at this question. You can also read more about Istio Authentication:
Istio provides two types of authentication:
Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:
Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds. - Secures service-to-service communication. - Provides a key management system to automate key and certificate generation, distribution, and rotation.
Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:
In all cases, Istio stores the authentication policies in the
Istio config storevia a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.
- Generating JWT token with JwtUtil class in Spring Boot resulting in NullPointerException
- Unknown authentication strategy "jwt" error in NestJS with Passport and JWT
- Can't import jwt-decode in JavaScript file in React project
- Custom AuthenticationStateProviderService error on localstorage
- IDX10500: Signature validation failed. No security keys were provided to validate the signature
- .NET8 ASP.NET Core Web API : JWT error : Bearer error="invalid_token"
- Official documentation for JwtBearer middleware/configuration via appsettings.json?
- Caused by: java.lang.NoClassDefFoundError: io/jsonwebtoken/Jwts
- IDX10503: Signature validation failed. Token does not have a kid. Keys tried: 'System.Text.StringBuilder'
- Microsoft Azure doesn't return email via Oauth2 flow
- Token handler unable to convert the token to jwt token
- int io.jsonwebtoken.SignatureAlgorithm.getMinKeyLength()' no such method error while generating a token key for authentication
- JwtSecurityToken in .NET 8
- How handle refresh token and access token for auth system
- Cannot resolve symbol 'security' while importing io.jsonwebtoken.security.Keys;
- How to store httpOnly cookie after redirect from custom SSO?
- Difficulty signing JWT in .NET Framework 4.5 using pre-generated ES512 private key
- Any way to generate Supabase ANON_KEY and JWT_SECRET locally?
- JWT Token returns NULL .NET API Login
- How to set JWT type in JWT Header
- Using fresh cookies from catch Error in HttpIntercopterFn
- How to invalidate a JWT token with no expiry time
- azp Claim Missing from Azure AD JWT
- Laravel not authenticating JWT token Tymon/jwt-auth
- OpenSSL not creating a key file from a RSA private key
- Node js JWT to verify token using Google's public keys
- 401 Unauthorized Error with JWT Authentication in .NET 8 and Vue.js Application
- How to generate JWT in PHP
- Validate Apple StoreKit2 in-app purchase receipt jwsRepresentation in backend (node ideally, but anything works)
- Quarkus SmallRye JWT GCP Identity Aware Proxy (IAP) integration