You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have Kubernetes-managed service account tokens, and I would like to extract some values from the JWT payload using Istio's outputClaimToHeaders feature.
The problem arises when trying to extract a claim with a dotted key (.) in its name, such as kubernetes.io.namespace. The token structure looks like this:
{
"kubernetes.io": {
"namespace": "a-namespace"
}
}
When attempting to extract the namespace field using Istio's outputClaimToHeaders, the header is not set, and Istio does not correctly retrieve the value.
Steps to reproduce:
Deploy an Istio RequestAuthentication policy with the following configuration:
`apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: istio-system
spec:
jwtRules:
I have Kubernetes-managed service account tokens, and I would like to extract some values from the JWT payload using Istio's outputClaimToHeaders feature.
The problem arises when trying to extract a claim with a dotted key (.) in its name, such as kubernetes.io.namespace. The token structure looks like this:
{
"kubernetes.io": {
"namespace": "a-namespace"
}
}
When attempting to extract the namespace field using Istio's outputClaimToHeaders, the header is not set, and Istio does not correctly retrieve the value.
Steps to reproduce:
Deploy an Istio RequestAuthentication policy with the following configuration:
`apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-auth
namespace: istio-system
spec:
jwtRules:
jwksUri:
fromHeaders:
prefix: "Bearer "
outputClaimToHeaders:
claim: kubernetes.io.namespace`
claim: iss
Send a request with a valid JWT that contains kubernetes.io.namespace.
Check the headers in the downstream application
Observe that istio-original-namespace is missing, while other claims (e.g., iss) are correctly extracted
Some proposed fixes