Istio Authorization with Internal Service

Hi everyone.
I currently need that every time a service is required to be accessed, you must first verify in another internal service if you are logged in.
There is currently the logon logic within my service.
My question is: how can I do that if I want to consume another service within my network? First I will validate that the login exists. The service offers a 200 or a 401.

I’m looking for options with EnvoyFilter but I can’t find a solution.

It is something similar to an authentication with Auth0 but this time I must validate against an internal service.

If you can help me, I would greatly appreciate it.

I think you can use EnvoyFilter to deploy an ext_authz filter to talk to your other service.

Do you have any examples of what I need? I tried to implement EnvoyFilter but it doesn’t work as it should.

Do you have any examples of what I need?

I don’t have a working example, but a quick search on discuss.io shows some examples: EnvoyFilter - ext_authz for istio 1.3

I have applied the yaml making the respective modifications based on my service.
But I don’t see that it’s working. Do you know how I can see if there is an error?

I have just gone over this myself, was not able to get it to work on the GATEWAY, which is what I had wanted, but did work on the SIDECAR. The response to that thread is pretty much what I have working. I had some logging on the 2 service to see the requests. To verify I removed the active login (flushed redis cache backing the authentication) and was logged out from the front end.

You can show me what you have done, I am very lost in this filter that I require

---
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: service
spec:
  workloadSelector:
    labels:
      app: service
  configPatches: 
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz
          config:
             http_service:
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: authorization
                  - exact: cookie
                  - exact: x-envoy-external-address
                  - exact: x-forwarded-for
              authorizationResponse:
                allowedClientHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate
                allowedUpstreamHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate          
              path_prefix: /authroute
              server_uri:
                uri: http://auth.ns.svc.cluster.local:1234
                cluster: outbound|1234||auth.ns.svc.cluster.local
                timeout: 1s

In the workloadSelector, when you call the app, is the name of the app you are referring to a service? Is it the same EnfoyFilter?

service == app

This is the app that needs authentication. auth is the name of the service doing the authentication and ns is the name of the namespace where the auth server lives. just put the filter in the same namespace as your app.

I have copied your code and add my service. But I still have the doubt of the app inside the workloadSelector

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: service
spec:
  workloadSelector:
    labels:
      app: service
  configPatches: 
    - applyTo: HTTP_FILTER
      match:
        context: SIDECAR_INBOUND
        listener:
          filterChain:
            filter:
              name: "envoy.http_connection_manager"
              subFilter:
                name: "envoy.router"
      patch:
        operation: INSERT_BEFORE
        value:
          name: envoy.ext_authz
          config:
             http_service:
              authorizationRequest:
                allowedHeaders:
                  patterns:
                  - exact: authorization
                  - exact: cookie
                  - exact: x-envoy-external-address
                  - exact: x-forwarded-for
              authorizationResponse:
                allowedClientHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate
                allowedUpstreamHeaders:
                  patterns:
                  - exact: authorization
                  - exact: location
                  - exact: proxy-authenticate
                  - exact: set-cookie
                  - exact: www-authenticate          
              path_prefix: /authroute
              server_uri:
                uri: http://autenticacion-back-authservices.testing.svc.cluster.local:80
                cluster: outbound|80||autenticacion-back-authservices.testing.svc.cluster.local
                timeout: 1s

that is a label on your app. any pod that has that label will have the envoyfilter applied.

it doesn’t have to be app, you could label all your workloads with:
auth: true

So, if I want to apply the lock to another service, in the app I only put in the name of this service. Is that correct?

So is my EnvoyFilter.
But when I see the logs of my istio gateway, I only get a 200 response. At no time does it access the filtering service.
It’s wrong ? Or am I misunderstanding how it works?

apiVersion: networking.istio.io/v1alpha3
    kind: EnvoyFilter
    metadata:
      name: service
      namespace: testing
    spec:
      workloadSelector:
        labels:
          app: back-test #this is other service
      configPatches: 
        - applyTo: HTTP_FILTER
          match:
            context: SIDECAR_INBOUND
            listener:
              filterChain:
                filter:
                  name: "envoy.http_connection_manager"
                  subFilter:
                    name: "envoy.router"
          patch:
            operation: INSERT_BEFORE
            value:
              name: envoy.ext_authz
              config:
                 http_service:
                  authorizationRequest:
                    allowedHeaders:
                      patterns:
                      - exact: authorization
                      - exact: cookie
                      - exact: x-envoy-external-address
                      - exact: x-forwarded-for
                  authorizationResponse:
                    allowedClientHeaders:
                      patterns:
                      - exact: authorization
                      - exact: location
                      - exact: proxy-authenticate
                      - exact: set-cookie
                      - exact: www-authenticate
                    allowedUpstreamHeaders:
                      patterns:
                      - exact: authorization
                      - exact: location
                      - exact: proxy-authenticate
                      - exact: set-cookie
                      - exact: www-authenticate          
                  path_prefix: /validate
                  server_uri:
                    uri: http://autenticacion-back-authservices.testing.svc.cluster.local:80
                    cluster: outbound|80||autenticacion-back-authservices.testing.svc.cluster.local
                    timeout: 1s

so both your app and the authentication service are in the testing namespace. you have envoy sidecar added to the back-test pod? I am using auto sidecar injection. this seems like it should be working.

I currently have no sidecar configured. Should I create a yaml sidecar to make it work?

in namespace I only have istio-injection = enabled

do your pods have an istio-proxy container added? they should. if so you can log on to them and curl localhost:15001/clusters to make sure your auth cluster is available.

how can i do that ? Im new in this theme