I am attempting to integrate OIDC with Istio using the AuthService project. I’ve been following the bookinfo-example with the one big change being that I’m trying to use Azure AAD’s OIDC support for my IDP instead of Google. However, I’ve as yet been unable to get the AuthService to redirect my request to the IDP for sign-in. If I leave the RequestAuthentication and AuthorizationPolicy objects undeployed, then I’m able to access the /productpage with no problem (but with no redirect to login) and if I do deploy those objects, I’m simply met with an “Access Denied” error (and, again, no redirect for login).
Here’s what my setup looks like so far:
K8S: Azure Kubernetes Service Istio: 1.18.2 Authservice: 0.5.3
- authservice and bookinfo pods are deployed, everything is running, and Istio sidecars are injected:
kubectl -n default get pods NAME READY STATUS RESTARTS AGE authservice-6bbff64c85-mblwn 2/2 Running 0 20m details-v1-6997d94bb9-xblrj 2/2 Running 0 55m productpage-v1-58b4c9bff8-n2rfz 2/2 Running 0 55m ratings-v1-b8f8fcf49-s7kqt 2/2 Running 0 55m reviews-v1-5896f547f5-t9htt 2/2 Running 0 55m reviews-v2-5d99885bc9-qcd8h 2/2 Running 0 55m reviews-v3-589cb4d56c-gw7xj 2/2 Running 0 55m
- I’ve made the change to the Mesh config to enable the envoyExtAuthzGrpc extensionProvider for the AuthService:
kubectl edit cm -n istio-system mesh: |- accessLogFile: /dev/stdout extensionProviders: - name: "authservice-grpc" envoyExtAuthzGrpc: service: authservice.default.svc.cluster.local port: "10003" defaultConfig: concurrency: 16 discoveryAddress: istiod.istio-system.svc:15012 image: ...
- The authservice container looks to be in OK shape. The readiness probe failed a few times as it was starting, but it shows as “Ready” now. Everything else seems to look good at first blush:
Containers: authservice: Container ID: containerd://74486624f79cf357f98244e84f53187506391ce2d715ef73d255375a6710f846 Image: dtr.mycompany.com/prhodes1/authservice:0.5.3 Image ID: dtr.mycompany.com/prhodes1/authservice@sha256:eeb082929ebf22bebd3141f23916694add1e4ab607b2c15ffa30a919998a6528 Port: 10003/TCP Host Port: 0/TCP State: Running Started: Mon, 16 Oct 2023 14:38:24 -0400 Ready: True Restart Count: 0 Readiness: http-get http://:15020/app-health/authservice/readyz delay=0s timeout=1s period=10s #success=1 #failure=3
- The Gateway seems OK. And I can access the page via the Gateway OK, as long as the RequestAuthentication and AuthorizationPolicy aren’t deployed, so I don’t think there’s any issue here:
kubectl -n default describe gw Name: bookinfo-gateway Namespace: default Labels: Annotations: API Version: networking.istio.io/v1beta1 Kind: Gateway Metadata: Creation Timestamp: 2023-10-16T18:38:22Z Generation: 1 Resource Version: 59762766 UID: 9ab0c00c-892f-4ad1-99da-7f04e1e9b877 Spec: Selector: Istio: ingressgateway Servers: Hosts: istio-oidc.mycompany.com Port: Name: https-443 Number: 443 Protocol: HTTPS Tls: Credential Name: ingress-tls-cert Mode: SIMPLE Events:
- My values.yaml looks like this:
authservice: image: dtr.mycompany.com/prhodes1/authservice:0.5.3 # image: ghcr.io/istio-ecosystem/authservice/authservice:0.5.3 # How the authservice will be enabled and enforced. # This can be at ingress (by default) or at application sidecar. enforcingMode: ingress oidc: idpURL: https://account.microsoft.com/account/Account authorizationURI: "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize" tokenURI: "https://login.microsoftonline.com/organizations/oauth2/v2.0/token" clientID: your-client-id clientSecret: your-client-secret # JSON string containing the identity provider's public key for validating id token. # jwks: "<>"
EDIT: I thought maybe the problem was that I didn’t have the EnvoyFilter, declared in “productpage-external-authz-envoyfilter-sidecar.yaml”, deployed. The README doesn’t seem to mention that file, so not sure if it’s needed by default or not. But I deployed that and it didn’t make any different, FWIW.
Anybody have any thoughts on what could be going on here?