Can Istio redirect instead of giving 403 for authorization denial?

When AuthorizationPolicy processing decides that a request is not authorized, is there any way to have Istio return a response redirecting to some other URL, instead of simply returning an HTTP 403 error response?

(AuthorizationPolicy’s action type doesn’t have any redirection option, and VirtualService doesn’t seem to have any way of matching on the incoming authorization decision (in order to use its redirect).)

Motivation: We use role/permission JWT claims to determine which sub-sites/sub-pages are available to users. When the user doesn’t have access to a given site/page, we redirect the browser back to the root site/page.

We’d like to move our implementation of this to Istio. It looks like we can use AuthorizationPolicy and request.auth.claims... to check the roles/permissions. However, we can only say whether to allow or deny the request, but not how to reflect the denial back to the client (i.e., as a redirection).

The redirection we want seems to be different from SSO/OAuth2 redirection (which we expect to do through Istio with an authentication/authorization plugin), which redirects back to the originally requested page (right?) after authentication login.

Thanks.

1 Like