Can LDAP features be integrated with Istio to provide user authentication? We basically want to use Istio on top of our existing services. Our goal is to make Istio authenticate with LDAP for the list of users and their passwords. And based on this data, Istio should route the request to the appropriate service. Is there any utility through which this can be done?
If LDAP cant be integrated with Istio, are there any other ways to have the user authentication in Istio?
Your questions i think boils down to two parts.
- LDAP based user authentication functionality. I think you might want to look into ext_authz, and have some remote service as LDAP broker, handling the credential/redirect, etc. E.g. https://github.com/istio-ecosystem/authservice is an example for OIDC based user authentication.
- Routing based on self-defined metadata attributes. There’s some ongoing desing proposal, https://drive.google.com/open?id=1g3AJNYwbh04-BVajshmcWpeLyGUanbRnihIXU6uIiOY, but still at early stage.
Hope this helps
1 Like
Thank you for your suggestions! It indeed helps.
I’m going ahead with the first option that you have suggested: https://github.com/istio-ecosystem/authservice.
However, I’m new to the OIDC authentication. I have setup keycloak on my k8s cluster and I’m trying to fill in the values in the template here:
https://github.com/istio-ecosystem/authservice/blob/cfa3529c771d359a28f269abd7808bf64a68bcf4/bookinfo-example/config/authservice-configmap-template-for-authn.yaml
This requires values like the authorization_uri, token_uri, callback uri etc to be substituted.
Can you please let me know how and from where can these values be fetched and replaced? Any help would be appreciated!
Thanks!
I was able to get these values from the keycloak console itself. Thanks.
I’m also trying to integrate the same flow, but I’m not able to find the token_uri and callback_uri anywhere in the keycloak console. Can you please let me know where can I get these values in the keycloak console. Thanks.
Navigate to your realm on the keycloak console and you would have a link as
Endpoints : OpenID Endpoint Configuration
You can also get it from this endpoint:
https://<keycloak-domain.com>/auth/realms/<realm>/.well-known/openid-configuration
Attaching the image for reference:
Thank you so much for your response. I was able to get all the configurations to setup the authservice. After login from keycloak, the authservice is able to get the authorization code, but authservice fails to exchange authorization code for access token with keycloak. Are you also facing this issue? I’ve also created a github issue with more explanation.