README

About

The Symfony bundle provides JWT authentication for request forwarded by Istio sidecar.

To use this bundle, make sure your K8S application pod had injected Istio sidecar and configured RequestAuthentication CRD, if not your application IS NOT SECURE.

The main difference between the awesome Lexik JWT Authentication bundle and this bundle is it's NOT validate JWT token because Istio sidecar had validated before forward request to your application, so that your application don't need to hold public key and double validate JWT token.

Requirements

PHP versions:

• PHP 8.0

Symfony versions:

• Symfony 5.3

Installation

composer require php-istio/jwt-authentication-bundle

Configuration

Enable the authenticator manager setting:

# config/packages/security.yaml
security:
  enable_authenticator_manager: true
  # ...

Then, configure your config/packages/security.yaml:

security:
  enable_authenticator_manager: true
  access_control: 
    - path: ^/
      roles: IS_AUTHENTICATED_FULLY
  firewalls:
    #...
    main:
      stateless: true
      istio_jwt_authenticator:
        rules:
          - issuer: issuer_1 # Required
            user_identifier_claim: sub #Default is `sub` claim
            origin_token_headers: [authorization] #Required at least once of `origin_token_headers`, `origin_token_query_params` or `base64_headers`. Use this option when your Istio JWTRule CRD using `forwardOriginalToken`.
            origin_token_query_params: [token] #Use this option when your Istio JWTRule CRD using `forwardOriginalToken` and your JWT token in query param.
            base64_headers: [x-istio-jwt-payload] # Use this option when your Istio JWTRule CRD using `outputPayloadToHeader`.
            prefix: "Bearer " #Token prefix of origin token passthrough by default blank ("") if not set.

In case your application have multi issuers:

#....
    main:
      stateless: true
      istio_jwt_authenticator:
        rules:
          - issuer: issuer_1
            origin_token_headers: [authorization]
            prefix: "Bearer "
          - issuer: issuer_2
            user_identifier_claim: aud
            base64_headers: [x-istio-jwt-payload]
        #....

Usage

#!/bin/bash

#Generate mock JWT token forwarded by Istio sidecar

payload='{"issuer":"issuer_1", "sub": "test"}';
base64_payload=$(echo -n $payload | base64 -);
origin_token=$(echo "header.$base64_payload.signature");

#You can test authenticate origin token with curl:

curl -H "Authorization: Bearer $origin_token" http://localhost/

#Or authenticate base64 payload header:

curl -H "X-Istio-JWT-Payload: $base64_payload" http://localhost/

Further readings

• Get JWT payload of authenticated user
• Use stateless user provider
• Create custom user provider

Credits

• Minh Vuong