在 Istio 中使用 sidecar 将不透明令牌转换为 JWT
Use sidecar to translate opaque token to JWT in Istio
我考虑是否有办法使用 Istio 将不透明令牌转换为 JWT。
用例:
有两个服务(服务 1 是消费者,服务 2 是生产者)
Service1 使用不透明令牌,Service2 可以使用 JWT 令牌进行身份验证和授权。
为了避免在 service2 中添加不透明令牌身份验证,我考虑是否可以使用 sidecar 模式(完全在 Istio 中)从 service1 获取请求(re1),提取授权 header,将请求(authReq1)传递给授权服务器以交换不透明令牌到 JWT,然后将请求(req1 但使用 JWT 而不是原始不透明令牌)传递到 service2。
编辑后的答案:
我看到两个选项(选项 1、选项 2),但我对选项 3 感兴趣。
选项 1:
选项 2:
选项 3:
I consider if there is a way to use Istio to translate opaque token to JWT.
不幸的是,Istio 将无法翻译令牌。在您的情况下,在我看来,最简单的方法是以它们在一种令牌上工作的方式获得服务。
可以翻译,但不能由 Istio 翻译。看看this question. You can also read more about Istio Authentication:
Istio provides two types of authentication:
Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:
Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds.
- Secures service-to-service communication.
- Provides a key management system to automate key and certificate generation, distribution, and rotation.
Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:
-
-
-
-
-
In all cases, Istio stores the authentication policies in the Istio config store
via a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.
我考虑是否有办法使用 Istio 将不透明令牌转换为 JWT。
用例: 有两个服务(服务 1 是消费者,服务 2 是生产者) Service1 使用不透明令牌,Service2 可以使用 JWT 令牌进行身份验证和授权。 为了避免在 service2 中添加不透明令牌身份验证,我考虑是否可以使用 sidecar 模式(完全在 Istio 中)从 service1 获取请求(re1),提取授权 header,将请求(authReq1)传递给授权服务器以交换不透明令牌到 JWT,然后将请求(req1 但使用 JWT 而不是原始不透明令牌)传递到 service2。
编辑后的答案: 我看到两个选项(选项 1、选项 2),但我对选项 3 感兴趣。
选项 1:
I consider if there is a way to use Istio to translate opaque token to JWT.
不幸的是,Istio 将无法翻译令牌。在您的情况下,在我看来,最简单的方法是以它们在一种令牌上工作的方式获得服务。
可以翻译,但不能由 Istio 翻译。看看this question. You can also read more about Istio Authentication:
Istio provides two types of authentication:
Peer authentication: used for service-to-service authentication to verify the client making the connection. Istio offers mutual TLS as a full stack solution for transport authentication, which can be enabled without requiring service code changes. This solution:
Provides each service with a strong identity representing its role to enable interoperability across clusters and clouds. - Secures service-to-service communication. - Provides a key management system to automate key and certificate generation, distribution, and rotation.
Request authentication: Used for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers, for example:
In all cases, Istio stores the authentication policies in the
Istio config store
via a custom Kubernetes API. Istiod keeps them up-to-date for each proxy, along with the keys where appropriate. Additionally, Istio supports authentication in permissive mode to help you understand how a policy change can affect your security posture before it is enforced.