Authorization header is not coming to backend app container | Istio 1.9.2 | External Auth using CUSTOM action

Hey @YangminZhu , I’ve tried better external authorization to setup the system.

I can see Oauth2-Proxy is getting authorization header(jwt token) but same token in not reaching to nginx container(test app in my case) even though - --set-authorization-header=true is set in Oauth2-Proxy deployment
Auth Success message is also present Oauth2-Proxy container log.

Below is my setup

Istio 1.9.2
Keycloak as OIDC provider
Oauth2-Proxy to manage OIDC flow
Mesh Config changes
Nginx as example app

nginx container is not getting the Authorization header(JWT token)

Below is my config for Oauth2-Proxy deployment

apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
spec:
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:

  • name: oauth2-proxy
    image: quay.io/oauth2-proxy/oauth2-proxy:latest
    args:
  • –session-store-type=redis
  • –redis-connection-url=redis://redis-master.redis.svc.cluster.local:6379
  • –provider=oidc
  • –cookie-samesite=lax
  • –cookie-refresh=1h
  • –cookie-expire=4h
  • –email-domain=*
  • –http-address=0.0.0.0:4180
  • –upstream=static://200
  • –skip-provider-button=true
  • –whitelist-domain=.xyz.net
  • –oidc-issuer-url=http://keycloak-service:10003/auth/realms/testrealm
  • –login-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/auth
  • –redeem-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/token
  • –validate-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
  • –profile-url=http://keycloak-service:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
  • –standard-logging=true
  • –auth-logging=true
  • –request-logging=true
  • –cookie-secure=false
  • –cookie-name=_oauth2_proxy_istio_ingressgateway
  • –cookie-httponly=true
  • –cookie-domain=.xyz.net
  • –insecure-oidc-allow-unverified-email=true
  • –set-xauthrequest=true
  • –set-authorization-header=true
  • –pass-access-token=true
  • –pass-authorization-header=true
  • –scope=openid
    env:
  • name: OAUTH2_PROXY_CLIENT_ID
    value: testclient
  • name: OAUTH2_PROXY_CLIENT_SECRET
    value: a64bc82a-8d8b-4f09-930c-ce4cd1463661
  • name: OAUTH2_PROXY_COOKIE_SECRET
    value: 892c869573095108535811657f0408ea
    ports:
  • containerPort: 4180
    protocol: TCP

Mesh Config

apiVersion: v1

data:

mesh: |-

extensionProviders:

- name: "oauth2-proxy.oauth2-proxy"

  envoyExtAuthzHttp:

    service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"

    port: "4180"

    includeHeadersInCheck: ["authorization", "cookie"]

    headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]

    headersToDownstreamOnDeny: ["content-type", "set-cookie"]

@YangminZhu FYI. The authorization policy with CUSTOM action seems right to me. The documentation is about a sample external authorizer. Not sure if there’s anything missing can lead to this when used with OAuth2-proxy.

Hello, Below is my understanding

Envoy’s external authorization filter expects ‘HTTP 200’ ( --upstream=static://200) then only it will redirect to istio ingress gateway url/or url which we hit in browser first. If I hit ingress-gateway-url/oauth2/auth(with HTTP 202) endpoint I can see authorization header.

@YangminZhu @incfly : Any help or lead would help me a lot, It seems I’m near but not able to get authorization header.

@incfly Below is formatted yaml

apiVersion: v1
kind: Namespace
metadata:
  name: oauth2-proxy
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  selector:
    app: oauth2-proxy
  ports:
  - name: http
    port: 4180
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.1
        args:
        - --session-store-type=redis
        - --redis-connection-url=redis://redis-master.redis.svc.cluster.local:6379
        - --provider=oidc
        - --provider-display-name=Keycloak
        - --cookie-samesite=lax
        - --cookie-refresh=1h
        - --cookie-expire=4h
        - --email-domain=*
        - --http-address=127.0.0.1:4180
        - --upstream=static://200
        - --skip-provider-button=true
        - --whitelist-domain=.xyz.net
        - --oidc-issuer-url=http://keycloak-svc:10003/auth/realms/testrealm
        - --login-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/auth
        - --redeem-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/token
        - --validate-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
        - --profile-url=http://keycloak-svc:10003/auth/realms/testrealm/protocol/openid-connect/userinfo
        - --standard-logging=true
        - --auth-logging=true
        - --request-logging=true
        - --cookie-secure=false
        - --cookie-name=_oauth2_proxy
        - --cookie-httponly=true
        - --cookie-domain=.xyz.net
        - --insecure-oidc-allow-unverified-email=true
        - --scope=openid
        - --skip-auth-strip-headers=false
        - --pass-authorization-header=true
        - --set-xauthrequest=true
        - --pass-access-token=true
        - --set-authorization-header=true
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          value: testclient
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: a64bc82a-8d8b-4f09-930c-ce4cd1463661
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: 892c869573095108535811657f0408ea
        ports:
        - containerPort: 4180
          protocol: TCP

And Mesh Config

apiVersion: v1
data:
  mesh: |-
    extensionProviders:
    - name: "oauth2-proxy.oauth2-proxy"
      envoyExtAuthzHttp:
        service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
        port: "4180"
        includeHeadersInCheck: ["authorization", "cookie"]
        headersToUpstreamOnAllow: ["authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
        headersToDownstreamOnDeny: ["content-type", "set-cookie"]