I'm looking to do 3 legged oauth on istio+kubernetes. I did not find a way to route unauthenticated requests to an authentication proxy service which performs the authentication and route the traffic back to the target service. I've done this with nginx kubernetes ingress controller using the following annotations -
nginx.ingress.kubernetes.io/auth-url //Auth url that requests will be forwarded to nginx.ingress.kubernetes.io/auth-signin //Sign in page the request is routed to when the above returns 401
I did not find equivalent ones in Istio. I've checked the documentation and it says it supports custom auth in addition to jwt, however I did not find any such support.
Answering my own question. At this point I've figured out the only way to do this is via EnvoyFilter on istio. This allows us to write a custom lua filter to to route unauthenticated requests to an oauth proxy which can perform 3-legged oauth flow.
The request control flow is
client --> ingress gateway --> istio-proxy sidecar --> envoy filter --> target
The filter is capable of making http calls and manipulate headers, which fits this requirement.
Edit: Details about it are here.