Istio Open ID Connect Token Acquisition Policy Proposal for End User Authentication

Proposal: https://docs.google.com/document/d/1zRa97isgx6wPv7VBfDWqg3oDEipjqPav5dKKO-GMVCs/edit?usp=sharing

This document proposes the addition of the “OidcPolicy” to the Istio authentication group to expose functionality introduced by the End-User authentication with OIDC proposal.

Please add your comments/questions/suggestions to the document or in this thread.

We presented this today at the Istio Security Working Group. Would love to get community feedback, community participation is welcome!

@Peter_Chen @Tian_Wang I’m pretty interested in seeing this pushed through, is there an ETA on it? Seems like the original proposal is over a year old and still WIP. I’m evaluating istio and seeing if lines up with our roadmap for end user authentication.
@nick_smith Noticed you owned the parent proposal, as well if you have any thoughts.

Yes, the work is still work-in-progress. There’s no official ETA but we might have a new version of Proof-of-Concept soon. Could you share more about your use case for end user authentication?

@Peter_Chen Thanks for getting back to me. I have a similar use case that is outlined in the parent document, though my webapps are not Single Page Applications (SPAs). I’m adopting istio and was disappointed that it didn’t have support for token acquisition and session management. Fundamentally, I have a few webapps I need to host and would like transparent authentication for them.

Any updates on this? The existing solutions are a bit painful.

Yes, that sounds like the use case we are trying to solve. This is still a work in progress but we hope to have an alpha we can publish soon. If you are interested in more detailed updates, you can follow up via Istio Slack instance’s #security and #oidc-proposal channels.

Please see above. This feature is in active development.

Great! I found the prototype. Will test it as soon as possible.