kuberneteskeycloakistio

Keycloak admin UI with istio RequestAuthentication


I'm trying to set up istio JWT authentication rules using keycloak for a number of services I have hosted on EKS. I had thought it was all working untill I tried to access the keycloak admin UI which presents me with a 401 when trying to make calls to locations like localization/en that require it to use the master realms header. I thought it might be that I needed to add the master realm to the jwt rules also so I've done that but I'm still not having much luck.

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: keycloak-request-authentication
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  jwtRules:
    - issuer: http://auth.platform.com/auth/realms/other
      jwksUri: http://auth.platform.com/auth/realms/other/protocol/openid-connect/certs
    - issuer: http://auth.platform.com/auth/realms/master
      jwksUri: http://auth.platform.com/auth/realms/master/protocol/openid-connect/certs

I'm using keycloakx version 2.3.0 and the exact error seems to be -

Error: Network response was not OK.
    at fetchWithError (http://auth.platform.com/auth/resources/6jpo1/admin/keycloak.v2/assets/index-8a79a090.js:67:121366)
    at async Agent.requestWithParams (http://auth.platform.com/auth/resources/6jpo1/admin/keycloak.v2/assets/index-8a79a090.js:67:124011

Since adding the master realm to my RequestAuthentication the auth is working well against all other services, just something strange seems to be happening with keycloak thats causing the JWT to be rejected.

Any help would be much appreciated. Thanks.


Solution

  • It will send a blank authentication header to keycloak, you need to ensure the original token is forwarded with the request.

      - issuer: http://auth.platform.com/auth/realms/master
      jwksUri: http://auth.platform.com/auth/realms/master/protocol/openid-connect/certs
      forwardOriginalToken: true