Hi,
configured istio to use envoyExtAuthzHttp with oauth2-proxy for authentication and configured all the parameters below on oauth2-proxy and on the meshconfig. Oauth2-proxy is able to pass the access token successfully to istio ingressgateway and I am able to see them in the istio-proxy logs but the same access token is not being forwarded to the end point workload. When I enable debug of the proxy logs on the workload I dont see JWT access token on the end point istio-proxy container logs. Can you please let me know if there is any other setting that needs to set for this access token to be passed as Header to the upstream workloads.
Meshconfig parameters maintained:
- name: oauth2-proxy
envoyExtAuthzHttp:
service: oauth2-proxy.oauth2-proxy.svc.cluster.local
port: 4180
includeRequestHeadersInCheck: [“Authorization”, “Cookie”, “X-Forwarded-Proto”, “X-Forwarded-Host”, “X-Forwarded-For”, “X-Forwarded-Access-Token”, “X-Forwarded-User”, “X-Forwarded-Email”, “Proxy-Authorization”, “User-Agent”, “From”, “Accept”, “X-Auth-Request-Redirect”]
headersToUpstreamOnAllow: [“authorization”, “cookie”, “path”, “x-auth-request-user”, “x-auth-request-email”, “x-auth-request-access-token”, “x-auth-request-groups”, “x-forwarded-access-token”, “x-auth-request-redirect”]
headersToDownstreamOnDeny: [“content-type”, “set-cookie”]
includeAdditionalHeadersInCheck:
X-Auth-Request-Redirect: ‘%REQ(x-forwarded-proto)%://%REQ(:authority)%%REQ(:path)%’
authorization: ‘%REQ(x-auth-request-access-token)%’
RequestAuthentication:
kind: RequestAuthentication
metadata:
name: auth-system
namespace: istio-system
spec:
selector:
matchLabels:
app: istio-ingressgateway
jwtRules:
- issuer: $OIDC_ISSUER_URL
jwksUri: $OIDC_JWKS_URI
forwardOriginalToken: true
outputPayloadToHeader: X-My-Auth-Payload
fromHeaders:- name: Authorization
prefix: "Bearer " - name: X-Forwarded-Access-Token
- name: X-Auth-Request-Access-Token
- name: Authorization
Thanks,
Heini