EnvoyFilter envoy.ext_authz not working with 1.5.1

We have been using the envoy.ext_authz EnvoyFilter along with oauth2_proxy on our Istio configurations for quite a while. This was however on version 1.4.5. We upgraded Istio to 1.5.1 and have not been able to get the EnvoyFilter to work. Ideally the filter redirects all incoming requests to oauth2_proxy which then handle authentication and forwards it to the required VirtualService. However, after the upgrade the redirect does not happen at all, and no incoming request is redirected to oauth2_proxy.

This is my EnvoyFilter

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: authn-filter
spec:
  workloadSelector:
    labels:
      app: istio-ingressgateway
  configPatches:
    - applyTo: HTTP_FILTER
      match:
        context: GATEWAY
        listener:
          portNumber: 443
      patch:
        operation: INSERT_BEFORE
        value:
          name: "envoy.ext_authz"
          config:
            http_service:
              server_uri:
                uri: http://oauthproxy-service.oauth2-proxy.svc.cluster.local
                cluster: outbound|4180||oauthproxy-service.oauth2-proxy.svc.cluster.local
                timeout: 1.5s
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: "cookie"
                  - exact: "x-forwarded-access-token"
                  - exact: "x-forwarded-user"
                  - exact: "x-forwarded-email"
                  - exact: "authorization"
                  - exact: "x-forwarded-proto"
                  - exact: "proxy-authorization"
                  - exact: "user-agent"
                  - exact: "x-forwarded-host"
                  - exact: "from"
                  - exact: "x-forwarded-for"
                  - exact: "accept"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"
              authorizationResponse:
                allowedClientHeaders:
                  patterns:
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "authorization"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"
                allowedUpstreamHeaders:
                  patterns:
                  - exact: "location"
                  - exact: "proxy-authenticate"
                  - exact: "set-cookie"
                  - exact: "authorization"
                  - exact: "www-authenticate"
                  - prefix: "x-forwarded"
                  - prefix: "x-auth-request"

What could I be doing wrong, and how should I go about debugging this?

2 Likes

did you manage this find a solution for this?

I’ve had better luck when being explicit on the filter under the listener that I want to INSERT_BEFORE or INSERT_AFTER.