CoursesZero-trust & workload identityIdentity-based authorization

Request-level auth (JWT)

Validate tokens; authorize on verified claims.

Advanced30 min · lesson 11 of 15

Workload identity answers "which service is calling". Request-level authentication answers "on whose behalf" — validating end-user or caller tokens so policy can authorize on verified claims, adding a second, finer layer of identity on top of mTLS.

JWT validation at the proxy

A mesh can validate JWTs at the proxy using a RequestAuthentication resource: it checks the token’s signature against the issuer’s keys and rejects invalid ones, then makes the verified claims available to authorization policy. This lets you enforce request-level rules — this endpoint requires a token from our IdP with the "admin" scope, that endpoint requires a valid user token at all — without every service re-implementing JWT verification. Combined with the workload mTLS identity, you now have two dimensions: the calling service (proven by its certificate) and the principal on whose behalf the request is made (proven by the JWT).

validate JWTs, then authorize on claims
# Require and validate JWTs from the corporate IdP for the api workload.
apiVersion: security.istio.io/v1
kind: RequestAuthentication
metadata: { name: jwt, namespace: prod }
spec:
selector: { matchLabels: { app: api } }
jwtRules:
- issuer: "https://idp.acme.com"
jwksUri: "https://idp.acme.com/.well-known/jwks.json"
---
# Authorize on a verified claim: only tokens with scope "admin" may DELETE.
kind: AuthorizationPolicy
spec:
rules:
- to: [{ operation: { methods: ["DELETE"] } }]
when: [{ key: request.auth.claims[scope], values: ["admin"] }]

Composing service and request identity

The two identity layers compose into fine-grained, defense-in-depth policy: "the frontend service (mTLS identity) may call the orders API, and only for requests carrying a valid user token (JWT) whose claims permit the action". This is far stronger than either alone — a stolen user token cannot be replayed from an unauthorized service, and a compromised service cannot act without a valid user token where one is required. It pushes verification down to the individual request, which is the essence of continuous, per-request zero-trust authorization. As always, keep these policies as reviewed code and roll them out carefully so a misconfigured JWT rule does not lock out legitimate callers.

Two layers of identity per request
1workload mTLSidentitywhich service is calling2JWT(RequestAuthenticatio…on whose behalf3authorize onbothservice + verified claims4per-requestdecisionfine-grained, defense in…
Service identity (mTLS) plus request identity (JWT) authorize each call on both who is calling and on whose behalf — verification per request.
A valid JWT from the wrong service should still be denied
Authorizing solely on a JWT lets any service that obtains a valid token act with it. Combine request identity (JWT claims) with workload identity (mTLS principal) so a token is only honored from the services allowed to present it — neither layer alone is sufficient for sensitive operations.