This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

I keep getting "Jwt issuer is not configured" when I use JWT for Auth,Jwt issuer is not configured

Posted on 02-02-2021 05:54 PM
juanliban
New Member
Reply posted on --/--/---- --:-- AM

My company is planning to use apigee envoy for istio, and I have managed to set it up based on the docs. When I call the services in the cluster while passing the apikey in the x-api-key header, it works. However, when I try to use JWT for auth, it keeps returning "Jwt issuer is not configured".

I used the sample envoy filter yaml that was generated by the apigee-remote-service-cli, do I need to update it in order to get it to work?

,
0 3 5,174
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

My company is planning to use apigee envoy for istio,

There has been some evolution in the technology over the past 18 months or so. Let me try to clarify. Maybe 2 years ago, we announced and released something called the "Apigee Adapter for Istio" ( documentation here). Since our release of that, the technical architecture of Istio has evolved, deprecating the "Mixer" component, which was the piece of Istio that the Apigee Adapter for Istio relied upon. You can read more details about the deprecation at the documentation link.

When Istio deprecated the Mixer, Apigee had to deprecate the Apigee Adapter for Istio. At that time, we introduced a functional replacement called the Apigee Adapter for Envoy (documentation here). It is functionally equivalent to the prior Istio adapter, but now it plus into Envoy, specifically the existing ExtAuthz plugin for Envoy. We've been pretty actively developing and extending this technology.

So when you say "apigee envoy for istio" - that isn't a thing. I think you should focus on Apigee Adapter for Envoy. Maybe that's what you meant anyway.

when I try to use JWT for auth, it keeps returning "Jwt issuer is not configured".

Judging from the documentation here, you need to modify the envoy config to specify an acceptable issuer. This configuration looks like this. 

issuer: https://example.com
audiences:
- whatever.you.want.here
- I.am.not.clear.if.all.of.these.must.be.present
remote_jwks:
  http_uri:
    uri: https://example.com/.well-known/jwks.json
    cluster: example_jwks_cluster
  cache_duration:
    seconds: 300

And the Envoy doc for that is here. And then insure that your JWT has an issuer claim (the iss claim) that matches that configuration.

One last note! You should be aware that until recently, the issuer is a required element in the JWT configuration for Envoy. Without that fix, we are not able to configure Envoy to not check the issuer. And in fact the doc for the Envoy config states that the issuer field is "required". This ticket shows a change that was closed 29 days ago, which allows the issuer part to be optional in the Envoy config. If you want this you may need to upgrade a more recent Envoy. Not sure which release you need!

0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

@theganyo maybe you have something to add here.

0 Likes

Posted on --/--/---- --:-- AM
theganyo
Staff
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

As you're using Istio, this also may be of some assistance:

https://github.com/apigee/apigee-remote-service-cli/wiki/%22jwt_provider_key%22-Option-in-the-Adapte...

0 Likes