This article describes how to generate a jwt token that can be authenticated by an istio source. Istio's source authentication is realized by OpenID connect specification, and only a small part of OIDC specification is needed to realize authentication token.

First, let's take a look at the explanation of source authentication in the official istio document:

ISTIO's source authentication is completed through ENVOY. Look at the description of JWT in the official document of the special envoy:

We can know that istio will check three attributes of token, such as signature, audience and publisher, and will also check the validity period, and only support ES256 and RS256 algorithms, so we need to ensure the standardization of these three attributes when generating token.

, the corresponding interface is/. Known /OpenID configuration. Of course, there are many attributes that may be unique to Google. Please refer to the official documents of OIDC for details.

Configure a policy in istio for the service to perform source authentication. Issuer is the same as when the token is generated, and jwksUri is the interface address used to open the public key. If JWSURI is not provided, Issuer/. Well-known /OpenID-configuration will be used to access the declaration interface of OIDC to find JWSURI and obtain the public key.

It also supports excluding certain paths or only acting on certain paths (extracted from official documents).

Please refer to the official English document https://istio.io/docs/reference/config/istio.authentication.v1alpha1/

Personal ability is limited, please correct me if there are any mistakes!

If you are interested, you can study the source code of some open source frameworks to realize OIDC specification, and you can have a deeper understanding.