K
Q

Istio: auth url support in end user authentication

1/11/2019

I'm looking to do 3 legged oauth on istio+kubernetes. I did not find a way to route unauthenticated requests to an authentication proxy service which performs the authentication and route the traffic back to the target service. I've done this with nginx kubernetes ingress controller using the following annotations -

nginx.ingress.kubernetes.io/auth-url //Auth url that requests will be forwarded to nginx.ingress.kubernetes.io/auth-signin //Sign in page the request is routed to when the above returns 401

I did not find equivalent ones in Istio. I've checked the documentation and it says it supports custom auth in addition to jwt, however I did not find any such support.

-- Suman Ganta
istio
kubernetes
nginx
nginx-ingress
oauth-2.0

Similar Questions

Insert multiline json string into helm template for base64 encoding
Rook Ceph Kudeam : only one ceph-mon started
What does a kubernetes namespace represents in cluster?
Cloud watch eks auto scale solution with java/node JDK and terraform
Postgres Back up In Rancher(Kubernetes)
Kubernetes EnvoyFilter description

1 Answer

1/16/2019

Answering my own question. At this point I've figured out the only way to do this is via EnvoyFilter on istio. This allows us to write a custom lua filter to to route unauthenticated requests to an oauth proxy which can perform 3-legged oauth flow.

The request control flow is

client --> ingress gateway --> istio-proxy sidecar --> envoy filter --> target

The filter is capable of making http calls and manipulate headers, which fits this requirement.

Edit: Details about it are here.

-- Suman Ganta
Source: StackOverflow