Use mock JWT and JWKS from codebase for end-user auth tutorial (#1945)

2018-07-25 08:16:33 -07:00 · 2018-07-25 08:16:33 -07:00 · 9b9088e7a6
parent 4344a2f92f
commit 9b9088e7a6
1 changed files with 25 additions and 13 deletions
--- a/content/docs/tasks/security/authn-policy/index.md
+++ b/content/docs/tasks/security/authn-policy/index.md
@ -457,15 +457,9 @@ $ kubectl delete destinationrules httpbin -n bar

 ## End-user authentication

-To experiment with this feature, you will need a valid JWT (corresponding to the JWKS endpoint you want to use for the demo). In this tutorial, we will use a
-test JWT signed by Google service account, but of course, you can also use your own JWT/JWKS endpoint for the demo.
-
-You can create a test JWT for your Google service account (assume it's stored in the environment variable `$SVC_ACCOUNT`) by following the instructions
-[here]({{< github_tree >}}/security/tools/jwt). Keep it in `$TOKEN`. Also set `$JWKS` corresponding to the service account `$SVC_ACCOUNT` as below:
-
-{{< text bash >}}
-$ JWKS=https://www.googleapis.com/service_accounts/v1/jwk/${SVC_ACCOUNT}
-{{< /text >}}
+To experiment with this feature, you need a valid JWT. The JWT must correspond to the JWKS endpoint you want to use for the demo. In
+this tutorial, we use this [JWT test]({{< github_file >}}/security/tools/jwt/samples/demo.jwt) and this
+[JWKS endpoint]({{< github_file >}}/security/tools/jwt/samples/jwks.json) from the Istio code base.

 Also, for convenience, expose `httpbin.foo` via ingressgateway (for more details, see the [ingress task](/docs/tasks/traffic-management/ingress/)).

@ -537,8 +531,8 @@ spec:
  - name: httpbin
  origins:
  - jwt:
-      issuer: $SVC_ACCOUNT
-      jwksUri: $JWKS
+      issuer: "testing@secure.istio.io"
+      jwksUri: "{{< github_file >}}/security/tools/jwt/samples/jwks.json"
  principalBinding: USE_ORIGIN
 EOF
 {{< /text >}}
@ -552,12 +546,30 @@ $ curl $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"

 Attaching the valid token generated above returns success:

-{{< text bash >}}
+{{< text bash>}}
+$ TOKEN=$(curl {{< github_file >}}/security/tools/jwt/samples/demo.jwt -s)
 $ curl --header "Authorization: Bearer $TOKEN" $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"
 200
 {{< /text >}}

-You may want to try to modify token or policy (e.g change issuer, audiences, expiry date etc) to observe other aspects of JWT validation.
+To observe other aspects of JWT validation, use the script `[gen-jwt.py]({{< github_tree >}}/security/tools/jwt/samples/gen-jwt.py)` to
+generate new tokens to test with different issuer, audiences, expiry date, etc. For example, the command below creates a token that
+expires in 5 seconds. As you see, Istio authenticates requests using that token successfully at first but rejects them after 5 seconds:
+
+{{< text bash >}}
+$ TOKEN=$(@security/tools/jwt/samples/gen-jwt.py@ @security/tools/jwt/samples/key.pem@ --expire 5)
+$ for i in `seq 1 10`; do curl --header "Authorization: Bearer $TOKEN" $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n"; sleep 1; done
+200
+200
+200
+200
+200
+401
+401
+401
+401
+401
+{{< /text >}}

 ### Cleanup part 3