Hi everyone,
I’m working on a solution to redirect traffic to specific workloads based on a user’s identity. However, I have some doubts about my initial approach and whether there might be a more efficient method for achieving my goal.
My current approach is as follows:
- User makes a request, which then reaches an Istio
Gatewayequipped with 2 WASM Filters. - First WASM Filter ensures that the request has a JWT, if not, request is redirected to a Keycloak
- Second WASM Filter ensures that user has another JWT with some personal data that Keycloak can’t reach. If user don’t have that token, then is redirected to a microsvc that makes a query to a DDBB and generates the JWT with the result of the query.
- Now we have all we need, the request proceeds to the
VirtualService. - The
VirtualServiceis equipped with aRequestAuthenticationandAuthorizationPolicy, both of which are linked to it to validate the second JWT. - The
VirtualServicethen determines the appropriate destination application based on the contents of the JWT.
I’ve made a diagram to clarify these steps.
While this outlines my current approach, I am uncertain whether I am proceeding in the most optimal manner or if there exists a better alternative. Moreover, I am unsure about the feasibility of the third step, specifically how to pass the JWT generated by the microservice back to the initial request.
BTW, would it be possible to query the database directly from the WASM Plugin, thus eliminating the need for a separate microservice for this purpose?
Thanks