Updated on 2025-07-30 GMT+08:00

Request Authentication

Request authentication in a service mesh can be used for source authentication. Request authentication authenticates that the access token in a request header is trusted and authorizes the request from a valid source. In request authentication, Selector is used to select the target workload, and jwtRules describes authentication rules to define how to match authentication information on a JSON Web Token (JWT).

Creating a Request Authentication Policy

Create a request authentication policy using YAML.

  1. Log in to the UCS console. In the navigation pane, choose Service Meshes.
  2. Click the name of the target service mesh to go to its details page.
  3. In the navigation pane, choose Service Security > Request Authentication.
  4. Click Create from YAML in the upper right corner.
  5. Validate the authentication information in the request for accessing a service in the namespace.

    apiVersion: security.istio.io/v1beta1
    kind: RequestAuthentication               # Set the service security type to request authentication.
    metadata:
      name: forecast                          # Name the request authentication policy.
      namespace: weather                      # Set the namespace to weather.
    spec:
      selector:
        matchLabels:
          app: forecast                       # Add a label key-value pair.
      jwtRules:
        - issuer: "weather@cloudnative-istio.book "
          jwksUri: https://cloudnative-istio.book/jwks-demo/jwks

Update a Request Authentication Policy

  1. Log in to the UCS console. In the navigation pane, choose Service Meshes.
  2. Click the name of the target service mesh to go to its details page.
  3. In the navigation pane, choose Service Security > Request Authentication.
  4. Locate the authentication policy to be updated and click Edit YAML in the Operation column.

    
        

Deleting a Request Authentication Policy

Deleted request authentication policies cannot be recovered. Deleting a request authentication policy will not affect the running of associated services.

  1. Log in to the UCS console. In the navigation pane, choose Service Meshes.
  2. Click the name of the target service mesh to go to its details page.
  3. In the navigation pane, choose Service Security > Request Authentication.
  4. Locate the request authentication policy to be deleted and click Delete in the Operation column.
  5. In the dialog box displayed, click Yes.

Case

Perform request authentication on custom attributes in a token.

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: detailed-jwt
spec:
  action: ALLOW
  rules:
    - from:
        - source:
            requestPrincipals: ["weather@cloudnative-istio.book/weather"]
      when:
        - key: request.auth.claims[role]
          values: ["editor"]