I am attempting to integrate OIDC with Istio using the AuthService project. I’ve been following the bookinfo-example with the one big change being that I’m trying to use Azure AAD’s OIDC support for my IDP instead of Google. However, I’ve as yet been unable to get the AuthService to redirect my request to the IDP for sign-in. If I leave the RequestAuthentication and AuthorizationPolicy objects undeployed, then I’m able to access the /productpage with no problem (but with no redirect to login) and if I do deploy those objects, I’m simply met with an “Access Denied” error (and, again, no redirect for login).
Here’s what my setup looks like so far:
K8S: Azure Kubernetes Service
Istio: 1.18.2
Authservice: 0.5.3
- authservice and bookinfo pods are deployed, everything is running, and Istio sidecars are injected:
kubectl -n default get pods
NAME READY STATUS RESTARTS AGE
authservice-6bbff64c85-mblwn 2/2 Running 0 20m
details-v1-6997d94bb9-xblrj 2/2 Running 0 55m
productpage-v1-58b4c9bff8-n2rfz 2/2 Running 0 55m
ratings-v1-b8f8fcf49-s7kqt 2/2 Running 0 55m
reviews-v1-5896f547f5-t9htt 2/2 Running 0 55m
reviews-v2-5d99885bc9-qcd8h 2/2 Running 0 55m
reviews-v3-589cb4d56c-gw7xj 2/2 Running 0 55m
- I’ve made the change to the Mesh config to enable the envoyExtAuthzGrpc extensionProvider for the AuthService:
kubectl edit cm -n istio-system
mesh: |-
accessLogFile: /dev/stdout
extensionProviders:
- name: "authservice-grpc"
envoyExtAuthzGrpc:
service: authservice.default.svc.cluster.local
port: "10003"
defaultConfig:
concurrency: 16
discoveryAddress: istiod.istio-system.svc:15012
image:
...
- The authservice container looks to be in OK shape. The readiness probe failed a few times as it was starting, but it shows as “Ready” now. Everything else seems to look good at first blush:
Containers:
authservice:
Container ID:
containerd://74486624f79cf357f98244e84f53187506391ce2d715ef73d255375a6710f846
Image: dtr.mycompany.com/prhodes1/authservice:0.5.3
Image ID: dtr.mycompany.com/prhodes1/authservice@sha256:eeb082929ebf22bebd3141f23916694add1e4ab607b2c15ffa30a919998a6528
Port: 10003/TCP
Host Port: 0/TCP
State: Running
Started: Mon, 16 Oct 2023 14:38:24 -0400
Ready: True
Restart Count: 0
Readiness: http-get http://:15020/app-health/authservice/readyz delay=0s timeout=1s period=10s #success=1 #failure=3
- The Gateway seems OK. And I can access the page via the Gateway OK, as long as the RequestAuthentication and AuthorizationPolicy aren’t deployed, so I don’t think there’s any issue here:
kubectl -n default describe gw
Name: bookinfo-gateway
Namespace: default
Labels:
Annotations:
API Version: networking.istio.io/v1beta1
Kind: Gateway
Metadata:
Creation Timestamp: 2023-10-16T18:38:22Z
Generation: 1
Resource Version: 59762766
UID: 9ab0c00c-892f-4ad1-99da-7f04e1e9b877
Spec:
Selector:
Istio: ingressgateway
Servers:
Hosts:
istio-oidc.mycompany.com
Port:
Name: https-443
Number: 443
Protocol: HTTPS
Tls:
Credential Name: ingress-tls-cert
Mode: SIMPLE
Events:
- My values.yaml looks like this:
authservice:
image: dtr.mycompany.com/prhodes1/authservice:0.5.3
# image: ghcr.io/istio-ecosystem/authservice/authservice:0.5.3
# How the authservice will be enabled and enforced.
# This can be at ingress (by default) or at application sidecar.
enforcingMode: ingress
oidc:
idpURL: https://account.microsoft.com/account/Account
authorizationURI: "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize"
tokenURI: "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"
clientID: your-client-id
clientSecret: your-client-secret
# JSON string containing the identity provider's public key for validating id token.
# jwks: "<>"
EDIT: I thought maybe the problem was that I didn’t have the EnvoyFilter, declared in “productpage-external-authz-envoyfilter-sidecar.yaml”, deployed. The README doesn’t seem to mention that file, so not sure if it’s needed by default or not. But I deployed that and it didn’t make any different, FWIW.
Anybody have any thoughts on what could be going on here?