Istio ExtAuthz with Oauth2-proxy removing headers in upstream

Hi there,

I am trying to set up Istio with Oauth2-proxy and Keycloak.
The authentication works, but by some reason Istio is removing headers sent to the upstream after successful authentication.

Here is my config:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: default
spec:
  hub: docker.io/istio
  tag: 1.10.0
  profile: default

  meshConfig:
    extensionProviders:
    - name: "oauth"
      envoyExtAuthzHttp:
        service: "oauth-oauth2-proxy.oauth.svc.cluster.local"
        port: 80
        includeHeadersInCheck:
          - authorization
          - cookie
        headersToUpstreamOnAllow:
          - authorization
          - path
          - cookie
          - x-auth-request-access-token
          - x-auth-request-user
          - x-auth-request-email
        headersToDownstreamOnDeny:
          - content-type
          - set-cookie          
        includeAdditionalHeadersInCheck:
          X-Auth-Request-Redirect: '%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%'

  components:
    ingressGateways:
    - name: istio-ingressgateway
      enabled: true
      k8s:
        overlays:
          - apiVersion: apps/v1
            kind: Deployment
            name: istio-ingressgateway
            patches:
              - path: kind
                value: DaemonSet
              - path: spec.strategy
              - path: spec.updateStrategy
                value:
                  rollingUpdate:
                    maxUnavailable: 33%
                  type: RollingUpdate
              - path: spec.template.spec.containers.[name:istio-proxy].ports.[containerPort:8080].hostPort
                value: 80
              - path: spec.template.spec.containers.[name:istio-proxy].ports.[containerPort:8443].hostPort
                value: 443

This is the RequestAuthentication config:

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: require-jwt
  namespace: frontend
spec:
  jwtRules:
    - issuer: "https://keycloak.example.com/auth/realms/example"
      jwksUri: "https://keycloak.example.com/auth/realms/example/protocol/openid-connect/certs"

And here’s the AuthorizationPolicy:

apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: require-jwt
  namespace: frontend
spec:
  action: CUSTOM
  provider:
    name: "oauth"
  rules: 
  - to:
    - operation:
        paths: ["*"]

Any idea please?

Hi,

do you know which header will be removed? In the past I had an issue with the oauth2-proxy when configuring keycloak and using it with OIDC.

Hi @beatrausch,

All headers are being removed but only from the browser.
I am following it also here