We have micro-services deployed in K8s with Istio as service mesh and exposed using Istio-Ingress.
Now, we would like to add AuthN and AuthZ using Istio-Ingress ingress controller.
- We would like do Oauth2-OpenID in Istio-Ingress/Gateway controller. The jwt token returned from OIDC is having UUID of user, but not his UserGroup.
- We have k8s service which has mapping of user UUID and UserGroup (Backend dynamodb). So we need to retrieve group of user.
- We have OPA (open policy agent) based rules for AuthZ of service APIs against UserGroup. So service APIs/urls have to be verified against UserGroup.
- Once after successful AuthN and AuthZ, http headers with user UserGroup, UUID should be passed to upstream services.
- Also we need to set downstream cookies with user UUID, UserGroup for client apps to use it.
All these above 5 steps can be performed in bit and pieces. But, not together as chain of proxies/chain of AuthFilters.
Is there a way to do these in ‘Istio-Ingress’ ingress/gateway controller?