在 Istio 中使用 sidecar 将不透明令牌转换为 JWT

Use sidecar to translate opaque token to JWT in Istio

我考虑是否有办法使用 Istio 将不透明令牌转换为 JWT。

用例: 有两个服务(服务 1 是消费者,服务 2 是生产者) Service1 使用不透明令牌,Service2 可以使用 JWT 令牌进行身份验证和授权。 为了避免在 service2 中添加不透明令牌身份验证,我考虑是否可以使用 sidecar 模式(完全在 Istio 中)从 service1 获取请求(re1),提取授权 header,将请求(authReq1)传递给授权服务器以交换不透明令牌到 JWT,然后将请求(req1 但使用 JWT 而不是原始不透明令牌)传递到 service2。

编辑后的答案: 我看到两个选项(选项 1、选项 2),但我对选项 3 感兴趣。

选项 1: 选项 2: 选项 3:

I consider if there is a way to use Istio to translate opaque token to JWT.

不幸的是,Istio 将无法翻译令牌。在您的情况下,在我看来,最简单的方法是以它们在一种令牌上工作的方式获得服务。

可以翻译,但不能由 Istio 翻译。看看this question. You can also read more about Istio Authentication:

Istio provides two types of authentication:

  • Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:

  • Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds. - Secures service-to-service communication. - Provides a key management system to automate key and certificate generation, distribution, and rotation.

  • Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:

  • ORY Hydra

  • Keycloak

  • Auth0

  • Firebase Auth

  • Google Auth

In all cases, Istio stores the authentication policies in the Istio config store via a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.