Istio+oauth2-proxy+keycloak. Policies not working

Security
1

Hello everyone
I have istio 1.16.1 with custom external authorization using oauth2-proxy and keycloak. My policies not working. Redirect to Keycloak authorization not working. Could please help me
Here is my configs

apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: tkn-request-auth
  namespace: tekton-pipelines
spec:
  selector:
    matchLabels:
      app: tekton-dashboard
  jwtRules:
  - issuer: http://keycloak-http.keycloak.svc.cluster.local/auth/realms/tekton
    jwksUri: http://keycloak-http.keycloak.svc.cluster.local/auth/realms/tekton/protocol/openid-connect/certs
    forwardOriginalToken: true
  - issuer: https://<KEYCLOAK_URL>/auth/realms/tekton
    jwksUri: https://<KEYCLOAK_URL>/auth/realms/tekton/protocol/openid-connect/certs
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: ext-authz-oauth2-proxy
  namespace: tekton-pipelines
spec:
  selector:
    matchLabels:
      app: tekton-dashboard
  action: CUSTOM
  provider:
    # Extension provider configured when we installed Istio
    name: oauth2-proxy
  rules:
  - to:
    - operation:
        hosts: 
        - "<TEKTON_URL>"
        notPaths: ["/auth/*"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: tkn-dash-auth-policy
  namespace: tekton-pipelines
spec:
  selector:
    matchLabels:
      app: tekton-dashboard
  action: DENY
  rules:
  - to:
    - operation:
        hosts: ["<TEKTON_URL>"]
        paths: ["/*"]
    when:
    - key: request.auth.claims[iss]
      values:
      - "https://<KEYCLOAK_URL>/auth/realms/tekton"
    - key: request.auth.claims[user_roles]
      notValues: 
      - "tekton-dashboard-role"

Istio configMap

apiVersion: v1
data:
  mesh: |-
    accessLogFile: /dev/stdout
    defaultConfig:
      discoveryAddress: istiod.istio-system.svc:15012
      proxyMetadata: {}
      tracing:
        zipkin:
          address: zipkin.istio-system:9411
    enablePrometheusMerge: true
    extensionProviders:
    - name: oauth2-proxy
      envoyExtAuthzHttp:
        service: oauth2-proxy.oauth2-proxy.svc.cluster.local
        port: 4180
        timeout: 1.5s
        includeHeadersInCheck: ["authorization", "cookie"]
        headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
        headersToDownstreamOnDeny: ["content-type", "set-cookie"]
    - envoyOtelAls:
        port: 4317
        service: opentelemetry-collector.istio-system.svc.cluster.local
      name: otel
    rootNamespace: istio-system
    trustDomain: cluster.local
  meshNetworks: 'networks: {}'

Here’s my oauth2-proxy config:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
  namespace: oauth2-proxy
spec:
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - name: oauth2-proxy
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.4.0
        args:
        - --provider=oidc
        - --oidc-issuer-url=https://<KEYCLOAK_URL>/auth/realms/tekton
        - --profile-url=https://<KEYCLOAK_URL>/auth/realms/tekton/protocol/openid-connect/userinfo
        - --validate-url=https://<KEYCLOAK_URL>/auth/realms/tekton/protocol/openid-connect/userinfo      
        - --set-authorization-header=true
        - --http-address=0.0.0.0:4180
        - --pass-host-header=true
        - --reverse-proxy=true
        - --auth-logging=true
        - --cookie-httponly=true
        - --cookie-refresh=4m
        - --cookie-secure=false
        - --email-domain="*"
        - --pass-access-token=true
        - --pass-authorization-header=true
        - --request-logging=true
        - --set-xauthrequest=true
        - --silence-ping-logging=true
        - --skip-provider-button=true
        - --skip-auth-strip-headers=false
        - --ssl-insecure-skip-verify=true
        - --standard-logging=true
        - --upstream="static://200"
        - --whitelist-domain=".cluster.local"
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_CLIENT_ID
        - name: OAUTH2_PROXY_CLIENT_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_CLIENT_SECRET
        - name: OAUTH2_PROXY_COOKIE_SECRET
          valueFrom:
            secretKeyRef:
              name: oauth2-proxy
              key: OAUTH2_PROXY_COOKIE_SECRET
        resources:
          requests:
            cpu: 10m
            memory: 100Mi
        ports:
        - containerPort: 4180
          protocol: TCP
        readinessProbe:
          periodSeconds: 3
          httpGet:
            path: /ping
            port: 4180
1 Like
2

As I understand it your problem is with the redirection TO Keycloak. Unless you are running an older version of Keycloak you should not have “/auth” in the URL:s that configures the OAuth2 Proxy

3

Hi @yakw Please let me know could you able to authenticate tekton dashboard using keycloak need some help

4

Hi @Adityasrm Yes i implemented keycloak auth for tekton dashboard. I had to install a separate keycloak instance and separate keycloak instance for business services

5

@yakw Can you tell me the steps how you had implemented do we need to have oauth 2 proxy for it?

6

Hi @yakw please help me i have created keycloak in one eks cluster and created istio ingress gateway and tekton-pipelines and tekton dashboard and set it with cluster IP how I can link keycloak with the istio gateway