K
Q

Istio End User Authentication with JWT on a GRPC service

8/27/2018

I would like to set up an auth policy on a GRPC service through Istio.

Currently, it's possible to add the policy on regular HTTP services, as you can use the Authorization header to pass the JWT token to the service. I'm a bit lost as it doesn't seem to be a similar policy for GRPC services (where you could include the token in the metadata of the request).

Has anyone managed to add an auth policy to a GRPC service managed by Istio?

-- odino
envoyproxy
grpc
istio
jwt
kubernetes

Similar Questions

Istio distributed tracing with Jaeger not working
Kubernetes share a directory from your local system to kubernetes container
Is it possible to install knative on docker for mac
Unable to open the docker shell on minicube
Kubernetes 1.16 deprecation of daemonset, statefulset, deployments and replicasets

1 Answer

11/4/2018

You can achieve Authorization Header parsed to md['authorization'] for you if you use JSON-to-GRPC Gateway as a middleware between istio ingress and grpc service.

JSON-to-GRPC Gateway source-code line where HTTP Header Authorization is parsed and appended to pairs that will become metadatas:

for key, vals := range req.Header {
    for _, val := range vals {
        if key == "Authorization" {
            pairs = append(pairs, "authorization", val)
            continue
        }

PS.: If there's a way use a custom middleware function in istio itself, you could replicate the grpc-gateway logic to achieve the same behaviour.

that can later be accessed in the grpc-service via context like this:

// retrieve metadata from context
md, ok := metadata.FromContext(ctx)

md["authorization"]
-- vcorrea
Source: StackOverflow