Istio + OAuth 2.0


#1

I have an OAuth authorization server hosted outside of Kubernetes cluster. Our micro services are hosted inside K8. We want to authorize the incoming request at the Ingress gateway . Is it possible to build a custom adaptor which can call the authorization server by passing the bearer token from the incoming request header.


#2

I think this is doable by configuring the ingress gateway to process token validation. Please take a look at: Configure end user authentication on ingress gateway


#3

If you aren’t using JWTs we used an EnvoyFIlter that we plug into our Gateway that proxies all requests to our authn server. I wrote about it here: https://medium.com/plangrid-technology/custom-user-authentication-in-istio-67c90458b093


#4

The example doesn’t show a way to configuring the authorization server. I see the token is returned from the github repo , if the token needs to be sent to another service for authorization do I have to write a custom adaptor?
I see the post from Omar was flagged , is it not the recommended way?


#5

@natraj09, here is an blog detailing how your configure the authorization server: https://programmaticponderings.com/2019/01/06/securing-kubernetes-withistio-end-user-authentication-using-json-web-tokens-jwt/ . The blog is based on Auth0 but the configuration should be quite similar for other products.


#6

Hi Rafik,
Our use case is similar to what Omar had shared in the blog. Is implementing the custom EnvoyFilter in form of a inline lua script the recommended approach for such use cases. The management of inline script could be tedious and error prone. Is there plan of supporting such extensibility with a cleaner interface?


#7

Hi Natraj,
Afaik, the solution provided by Omar and PlanGrid is the only way to support other OAuth token type in addition to JWT. I think also that Istio JWT token is based on Envoy JWT filter which is build the same way using Envoy filters (https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/jwt_authn_filter).

On the other hand, you should keep in mind the limitation of filters (That what I can see as precaution from Istio documentation: https://istio.io/docs/reference/config/istio.networking.v1alpha3/#EnvoyFilter). So, keeping a minimal number of filters in addition to running validation test when upgrading Istio should be a good practice.

I would like that a core team member comment on that to be sure. @spikecurtis


#8

Yeah, I echo the caution about EnvoyFilter, as it comes with no guarantees about backward compatibility.

There is some work starting in the Security WG to bring support for “opaque” authentication tokens using a “blessed” Istio API. I don’t have an exact time frame, but you might contact the authors of this doc and mention your interest.

The other thing to mention is that instead of custom Lua, you might consider the Envoy ExtAuth filter.


#9

Thank you Spike for all these details and useful information. I will definitely opt for External Authorization filter as a tactical solution until having the out of box support.


#10

Thanks Rafik and Spike for the suggestion. Will take a look


#11

I am new to Istio world, but I think a Mixer adapter will be able to do this task using Authorization template
Here I imagine how things should work (please feel free to correct me, I am still understanding this Mixer :slight_smile: ) =>

  • Since envoy proxy(the sidecar inside you container) suppose to do 2 things, one of them is performing precondition checks, so I imagine this flow=>
    1- Sidecar proxy sends instances of kind Authorization template, which should include dimension attributes like ( request.headers(jwt), source IP, client ID, etc…) to the Mixer.
    2- Then Mixer receive these attributes and map them to your Adapter configuration : e.g. map request.header[‘Autheriztion’] to Token and source.ip to clientID … etc this called instance configuration.
    3- Adapter ( which you suppose to write the internal Oauth2 logic on it using Go or any language) will receive these mapped instances/data and perform OAuth logic through handlers and perform required checks using pervious inputs ( jwt/clientid ) and return result to Mixer

Also I think OPA Mixer’s adapter could help you.