How can I redirect traffic based on the user's identity?

Hi everyone,

I’m working on a solution to redirect traffic to specific workloads based on a user’s identity. However, I have some doubts about my initial approach and whether there might be a more efficient method for achieving my goal.

My current approach is as follows:

  1. User makes a request, which then reaches an Istio Gateway equipped with 2 WASM Filters.
  2. First WASM Filter ensures that the request has a JWT, if not, request is redirected to a Keycloak
  3. Second WASM Filter ensures that user has another JWT with some personal data that Keycloak can’t reach. If user don’t have that token, then is redirected to a microsvc that makes a query to a DDBB and generates the JWT with the result of the query.
  4. Now we have all we need, the request proceeds to the VirtualService.
  5. The VirtualService is equipped with a RequestAuthentication and AuthorizationPolicy, both of which are linked to it to validate the second JWT.
  6. The VirtualService then determines the appropriate destination application based on the contents of the JWT.

I’ve made a diagram to clarify these steps.

While this outlines my current approach, I am uncertain whether I am proceeding in the most optimal manner or if there exists a better alternative. Moreover, I am unsure about the feasibility of the third step, specifically how to pass the JWT generated by the microservice back to the initial request.

BTW, would it be possible to query the database directly from the WASM Plugin, thus eliminating the need for a separate microservice for this purpose?