Istio Open ID Connect Token Acquisition Policy Proposal for End User Authentication

Proposal: https://docs.google.com/document/d/1zRa97isgx6wPv7VBfDWqg3oDEipjqPav5dKKO-GMVCs/edit?usp=sharing

This document proposes the addition of the “OidcPolicy” to the Istio authentication group to expose functionality introduced by the End-User authentication with OIDC proposal.

Please add your comments/questions/suggestions to the document or in this thread.

We presented this today at the Istio Security Working Group. Would love to get community feedback, community participation is welcome!

@Peter_Chen @Tian_Wang I’m pretty interested in seeing this pushed through, is there an ETA on it? Seems like the original proposal is over a year old and still WIP. I’m evaluating istio and seeing if lines up with our roadmap for end user authentication.
@nick_smith Noticed you owned the parent proposal, as well if you have any thoughts.

Yes, the work is still work-in-progress. There’s no official ETA but we might have a new version of Proof-of-Concept soon. Could you share more about your use case for end user authentication?

@Peter_Chen Thanks for getting back to me. I have a similar use case that is outlined in the parent document, though my webapps are not Single Page Applications (SPAs). I’m adopting istio and was disappointed that it didn’t have support for token acquisition and session management. Fundamentally, I have a few webapps I need to host and would like transparent authentication for them.