Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS1108 - JWT Claim Based Routing Without RequestAuthentication

JWT claim based routing is used without a corresponding RequestAuthentication configuration.

Recommendation: Ensure JWT Claims Are Validated Before Using in Routing

To securely use JWT claims in routing decisions, add a RequestAuthentication to validate the JWTs, or remove the JWT claim based routing if validation is not possible.

Examples

  1. VirtualService Configuring JWT Claim Based Routing Without RequestAuthentication

    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      name: jwt-claim-routing
      namespace: example-namespace
    spec:
      hosts:
      - "my-app.example.com"
      http:
      - match:
        - headers:
            x-jwt-claim:
              exact: "admin"
        route:
        - destination:
            host: "my-app-service.example-namespace.svc.cluster.local"

    Explanation: The VirtualService configuration attempts to route based on a JWT claim (x-jwt-claim header), but there is no corresponding RequestAuthentication to validate and extract JWT claims. This means that the routing rule cannot be effectively enforced, as the claims are not verified by Istio.

Recommendation

Add a RequestAuthentication resource to validate JWTs, or remove the JWT claim based routing to avoid incorrect or insecure routing.

  1. Add RequestAuthentication to Validate JWT Claims

    Add a RequestAuthentication to validate the JWT claims before using them in the routing configuration.

    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication
    metadata:
      name: jwt-auth
      namespace: example-namespace
    spec:
      selector:
        matchLabels:
          app: my-app
      jwtRules:
      - issuer: "https://secure.token.service"
        jwksUri: "https://secure.token.service/.well-known/jwks.json"

    Explanation: The RequestAuthentication resource ensures that JWTs are validated, allowing the VirtualService to route based on verified claims.

  2. Remove JWT Claim Based Routing

    If JWT claim based routing is not needed, remove the related configuration to avoid insecure routing behavior.

    apiVersion: networking.istio.io/v1beta1
    kind: VirtualService
    metadata:
      name: jwt-claim-routing
      namespace: example-namespace
    spec:
      hosts:
      - "my-app.example.com"
      http:
      - route:
        - destination:
            host: "my-app-service.example-namespace.svc.cluster.local"

    Explanation: Removing the JWT claim based routing ensures that the configuration remains secure without relying on unvalidated claims for routing decisions.