I’m having trouble using oauth2-proxy as an external auth with Istio 1.10.0.
My goal is configure a second Istio ingressgateway, istio-oauth-ingressgateway, and use oauth2-proxy as an extensionProvider with an AuthorizationPolicy CUSTOM action for all endpoints access through the ingressgateway.
The approach is parially explained here.
The trouble I’m having is with being redirected back to the service I’m trying to reach, after successfully authenticating via the oauth2-proxy.
It’s essentially the same problem described here.
Expected:
- Visit
bookinfo.example.com - Redirected to
auth.example.com - Log in
- Redirected to
bookinfo.example.com
Actual:
- Visit
bookinfo.example.com - Redirected to
auth.example.com - Log in
- Redirected to
auth.example.com - If I visit
bookinfo.example.comagain now, it will work, but I would prefer to get redirected automatically.
According to the last comment in the link above, it seems the problem might be that the ext_authz initiated request to oauth2-proxy does not contain any of the headers required by oauth2-proxy in order to redirect the request.
I’m wondering if there is a way to fix this, or if the conclusion is that oauth2-proxy is simply not fully supported yet.
Edit:
I was able to solve this by adding the following line to envoyExtAuthzHttp under meshConfig in the Istio operator config:
includeAdditionalHeadersInCheck:
X-Auth-Request-Redirect: https://%REQ(Host)%
This effectively adds an addition header to the request sent to oauth2-proxy, where the value is extracted from the Host header.
Config:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: installation
namespace: istio-system
spec:
components:
ingressGateways:
- enabled: true
name: istio-ingressgateway
- enabled: true
k8s:
podAnnotations:
proxy.istio.io/config: '{"gatewayTopology": { "numTrustedProxies": 2 }}'
label:
app: istio-oauth-ingressgateway
istio: oauth-ingressgateway
name: istio-oauth-ingressgateway
pilot:
enabled: true
meshConfig:
extensionProviders:
- envoyExtAuthzHttp:
port: 4180
service: oauth2-proxy.istio-system.svc.cluster.local
headersToDownstreamOnDeny:
- content-type
- set-cookie
headersToUpstreamOnAllow:
- authorization
- cookie
- path
includeHeadersInCheck:
- "cookie"
- "x-forwarded-access-token"
- "x-forwarded-user"
- "x-forwarded-email"
- "authorization"
- "x-forwarded-proto"
- "proxy-authorization"
- "user-agent"
- "x-forwarded-host"
- "from"
- "x-forwarded-for"
- "x-forwarded-uri"
- "x-auth-request-redirect"
- "accept"
name: oauth2-proxy
namespace: istio-system
profile: default
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
labels:
argocd.argoproj.io/instance: oauth2-proxy
name: oauth-ingressgateway
namespace: istio-system
spec:
action: CUSTOM
provider:
name: oauth2-proxy
rules:
- to:
- operation:
paths:
- '*'
selector:
matchLabels:
istio: oauth-ingressgateway
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: istio-system
spec:
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
istio-injection: enabled
spec:
containers:
- args:
- '--provider=github'
- '--client-id=<client-id>'
- '--client-secret=<client-secret>'
- '--http-address=0.0.0.0:4180'
- '--email-domain=*'
- '--cookie-refresh=1h'
- '--cookie-secure=false'
- '--set-xauthrequest'
- '--pass-access-token'
- '--set-authorization-header'
- '--upstream="static://200"'
- '--skip-provider-button=true'
- '--reverse-proxy'
env:
- name: OAUTH2_PROXY_WHITELIST_DOMAINS
value: .example.com
- name: OAUTH2_PROXY_COOKIE_DOMAINS
value: .example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: oauth2-proxy-gw
namespace: istio-system
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- auth.example.com
port:
name: http
number: 80
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- auth.example.com
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: <cert>
mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: oauth2-proxy-vs
namespace: istio-system
spec:
gateways:
- oauth2-proxy-gw
hosts:
- auth.example.com
http:
- route:
- destination:
host: oauth2-proxy.istio-system.svc.cluster.local
port:
number: 4180
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: bookinfo-gw
namespace: default
spec:
selector:
istio: oauth-ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- bookinfo.example.com
tls:
httpsRedirect: true
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: <cert>
hosts:
- bookinfo.example.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: bookinfo-vs
namespace: default
spec:
hosts:
- bookinfo.example.com
gateways:
- bookinfo-gw
http:
- route:
- destination:
host: productpage.default.svc.cluster.local
port:
number: 9080