istio.io/istio@v0.0.0-20240520182934-d79c90f27776/security/tools/jwt/samples/README.md (about) 1 # Sample JWT and JWKS data for demo 2 3 This folder contains sample data to setup end-user authentication with Istio authentication policy, together with the script to (re)generate them. 4 5 ## Example end-user authentication policy using the mock jwks.json data 6 7 ```yaml 8 apiVersion: security.istio.io/v1 9 kind: RequestAuthentication 10 metadata: 11 name: "jwt-example" 12 spec: 13 selector: 14 matchLabels: 15 app: httpbin 16 jwtRules: 17 - issuer: "testing@secure.istio.io" 18 jwksUri: "https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/jwks.json" 19 ``` 20 21 The `demo.jwt` contains a signed-JWT token with following payload: 22 23 ```json 24 { 25 "exp": 4685989700, 26 "foo": "bar", 27 "iat": 1532389700, 28 "iss": "testing@secure.istio.io", 29 "sub": "testing@secure.istio.io" 30 } 31 ``` 32 33 Note the expiration date (`exp`) is very long in the future, so it can be tested as is without any modification. For example: 34 35 ```bash 36 TOKEN=$(curl https://raw.githubusercontent.com/istio/istio/master/security/tools/jwt/samples/demo.jwt -s) 37 curl --header "Authorization: Bearer $TOKEN" $INGRESS_HOST/headers -s -o /dev/null -w "%{http_code}\n" 38 ``` 39 40 Alternatively, you can use the `gen-jwt.py` script to create new test token: 41 42 ```bash 43 TOKEN=$(./gen-jwt.py key.pem --expire=300 --iss "new-issuer@secure.istio.io") 44 ``` 45 46 > Before you start, run the following command to install python dependencies. 47 48 ```bash 49 pip install jwcrypto 50 ``` 51 52 ## Regenerate private key and JWKS (for developer use only) 53 54 1. Regenerate private key using `openssl` 55 56 ```bash 57 openssl genrsa -out key.pem 2048 58 ``` 59 60 1. Run gen-jwt.py with `--jkws` to create new public key set and demo JWT 61 62 ```bash 63 gen-jwt.py key.pem -jwks=./jwks.json --expire=3153600000 --claims=foo:bar > demo.jwt 64 ```