x-jwt-claim for matching JWT claims in
+the VirtualService. Claims of type string or list of string are supported and nested claims are also supported using
+. as a separator for claim names. Examples: x-jwt-claim.admin matches the claim “admin” and x-jwt-claim.group.id
+matches the nested claims “group” and “id”.The following example creates the request authentication and authorization policies for JWT validation on ingress +gateway and routes requests based on the “version” claim in the validated JWT.
+ +apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+ name: jwt-on-ingress
+ namespace: istio-system
+spec:
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ jwtRules:
+ - issuer: "issuer-foo"
+ jwksUri: https://example.com/.well-known/jwks.json
+---
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
+metadata:
+ name: require-jwt
+ namespace: istio-system
+spec:
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ rules:
+ - from:
+ - source:
+ requestPrincipals: ["*"]
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+ name: route-jwt
+spec:
+ hosts:
+ - foo.prod.svc.cluster.local
+ gateways:
+ - istio-ingressgateway
+ http:
+ - name: "v2-route"
+ match:
+ - headers:
+ x-jwt-claim.version:
+ exact: "v2"
+ route:
+ - destination:
+ host: foo.prod.svc.cluster.local
+ subset: v2
+ - name: "default-route"
+ route:
+ - destination:
+ host: foo.prod.svc.cluster.local
+ subset: v1
+Note: This routing is only supported on Gateways and proper request authentication must first be applied to validate the JWT.
+