Hello,
I have istio 1.11 running with custom external authorization using oauth2-proxy and keycloak. Redirecting and all seems to be working fine. However after signing in, I still get an RBAC: access denied message. This is odd because I can see oauth-proxy returning 200 for the requests:
127.0.0.6 - 15a1b580-44a1-4376-a4c4-acba90ae207d - dsach@my-nm.com [2021/08/20 05:17:49] staging.boom.bang.io GET static://200 "/" HTTP/1.1 "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Firefox/91.0" 200 13 0.000
I feel like I’m missing something simple. Any ideas?
Here is my auth config
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-custom-auth
namespace: my-nm
spec:
selector:
matchLabels:
my-auth: enable
action: CUSTOM
provider:
name: "oauth2-proxy"
rules:
- to:
- operation:
paths: ["*"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: my-allow-auth
namespace: my-nm
spec:
selector:
matchLabels:
my-auth: enable
action: ALLOW
rules:
- to:
- operation:
paths: ["/oauth2/*"]
Here’s my mesh configmap:
apiVersion: v1
data:
mesh: |-
extensionProviders:
- name: "oauth2-proxy"
envoyExtAuthzHttp:
service: "oauth2-proxy.oauth2-proxy.svc.cluster.local"
port: "4180" # The default port used by oauth2-proxy.
includeHeadersInCheck: # headers sent to the oauth2-proxy in the check request.
# https://github.com/oauth2-proxy/oauth2-proxy/issues/350#issuecomment-576949334
- "cookie"
- "x-forwarded-access-token"
- "x-forwarded-user"
- "x-forwarded-email"
- "authorization"
- "x-forwarded-proto"
- "proxy-authorization"
- "user-agent"
- "x-forwarded-host"
- "from"
- "x-forwarded-for"
- "x-forwarded-uri"
- "x-auth-request-redirect"
- "accept"
headersToUpstreamOnAllow:
- "authorization"
- "path"
- "x-auth-request-user"
- "x-auth-request-email"
- "x-auth-request-access-token"
- "x-auth-request-user-groups"
- "cookie"
headersToDownstreamOnDeny: ["content-type", "set-cookie"] # headers sent back to the client when request is denied.
defaultConfig:
discoveryAddress: istiod.istio-system.svc:15012
proxyMetadata: {}
tracing:
zipkin:
address: zipkin.istio-system:9411
enablePrometheusMerge: true
rootNamespace: istio-system
trustDomain: cluster.local
meshNetworks: 'networks: {}'
kind: ConfigMap
metadata:
annotations:
labels:
install.operator.istio.io/owning-resource: unknown
install.operator.istio.io/owning-resource-namespace: istio-system
istio.io/rev: default
operator.istio.io/component: Pilot
operator.istio.io/managed: Reconcile
operator.istio.io/version: 1.11.0
release: istio
name: istio
namespace: istio-system
Here’s my oauth-proxy config:
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
spec:
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: redis
image: redis
ports:
- containerPort: 6379
name: redis
protocol: TCP
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.3
args:
- --provider=oidc
- --cookie-secure=true
- --cookie-samesite=lax
- --cookie-refresh=15m
- --cookie-expire=20m
- --cookie-name=nm
- --set-authorization-header=true
- --pass-authorization-header=true
- --set-xauthrequest
- --pass-access-token=true
- --scope=openid
- --email-domain=*
- --http-address=0.0.0.0:4180
- --upstream=static://200
- --skip-provider-button=true
- --whitelist-domain=.my-nm.io
- --whitelist-domain=.my-nm2.com
- --session-store-type=redis
- --silence-ping-logging=true
- --redis-connection-url=redis://localhost:6379
- --skip-jwt-bearer-tokens=true
- --request-logging=true
- --auth-logging=true
- --standard-logging=true
- --reverse-proxy
- --set-xauthrequest
- --client-id=$(OAUTH2_PROXY_CLIENT_ID)
- --client-secret=$(OAUTH2_PROXY_CLIENT_SECRET)
env:
- name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS
value: 'https://auth.my-nm-2.com/auth/realms/nm=account'
- name: OAUTH2_PROXY_OIDC_ISSUER_URL
value: 'https://auth.my-nm-2.com/auth/realms/nm'
- name: OAUTH2_PROXY_LOGIN_URL
value: 'https://auth.my-nm-2.com/auth/realms/nm/protocol/openid-connect/auth'
- name: OAUTH2_PROXY_REDEEM_URL
value: 'https://auth.my-nm-2.com/auth/realms/nm/protocol/openid-connect/token'
- name: OAUTH2_PROXY_VALIDATE_URL
value: 'https://auth.my-nm2.com/auth/realms/nm/protocol/openid-connect/userinfo'
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: OAUTH2_PROXY_CLIENT_ID
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: OAUTH2_PROXY_CLIENT_SECRET
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: OAUTH2_PROXY_COOKIE_SECRET
resources:
requests:
cpu: 10m
memory: 100Mi
ports:
- containerPort: 4180
protocol: TCP
readinessProbe:
periodSeconds: 3
httpGet:
path: /ping
port: 4180