I am trying to protect front end applications with the IBM App Identity and Access Adapter for Istio. There are two steps to follow once the service is in place:
kind: OidcConfig
metadata:
name: hello-oidc
namespace: my-namespace
spec:
discoveryUrl: https://dev-b37sro-t.auth0.com/.well-known/openid-configuration
clientId: E3LjLlomDnaPTc0b83eZa1gT0oGDNLko
clientSecret: randomlyGeneratedClientSecret(not revealing this one)
apiVersion: "security.cloud.ibm.com/v1"
kind: Policy
metadata:
name: oidcsamplepolicy
namespace: my-namespace
spec:
targets:
-
serviceName: helloworld
paths:
- exact: /hello
method: ALL
policies:
- policyType: oidc
config: hello-oidc
redirectUri: http://helloworld.my-namespace.my-project-host/hello
I am using Auth0 as identity issuer, so I generate a new application (helloworld from Istio 1.4.0) and get the parameters needed in the previous configurations from there.
For some reason, when I apply the OidcConfig and the Policy in my Kubernetes Cluster/Namespace/Service, it doesn't seem to make any effect. I am still able to access the application from the web browser without any authentication required.
These are the links I followed for the implementation:
https://github.com/ibm-cloud-security/app-identity-and-access-adapter
Did you set global.disablePolicyChecks
to false
and did you enable mixer during Istio install?
Mixer is disabled by default now.
See https://istio.io/docs/reference/config/installation-options/#mixer-options
Update:
I was just able to resolve this issue on my setup by doing the following:
First check the status of disablePolicyCheck
:
kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks
If this returns disablePolicyChecks: true
run
istioctl manifest apply --set values.global.disablePolicyChecks=false \
--set values.mixer.policy.enabled=true \
--set values.pilot.policy.enabled=true
Running the following should show the value of disablePolicyChecks
as false
kubectl -n istio-system get cm istio -o jsonpath="{@.data.mesh}" | grep disablePolicyChecks