Set-Cookie on successful client response from External Authorization (headers to downstream on allow)


I’ve posted this topic yesterday, but surprisingly it has been considered as spam automatically!

I’m trying to use ext authz feature of Istio and I came across a need that I think I can’t do it in Istio but I’m not sure.

I’ll describe my scenario here and I’d be grateful if someone can point me to the right direction.

Istio gateway sends a request to our external authorization service (HTTP) to check if the request is valid. the request contains cookies that include access and refresh tokens.

Our external auth service will check the tokens and if it needs to be refreshed, it requests new tokens from our main Authorization server by sending the refresh token to it and update the cookies inside the request if the tokens are successfully refreshed and retuned as a response from the main Authorization server.

So I need to set cookies on client on successful response from the external auth service (only if the token needs to be refreshed) The full workflow will look like this:

1. Client sends a request to Istio gateway

2. Gateway checks if the request is authenticated by forwarding the headers to external authz service

3. In ext authz service, the token is expired or is about to get expired. Therefore, it tries to refresh the tokens by talking to the main Authorization server. After refreshing, it clears the old cookies and set new cookies in response and also, puts the user extracted details in “x-auth-principal” and “x-auth-attributes” header to be used in backend microservices.

4. Gateway receives the response from ext authz service and forwards the request to appropriate microservices with headers set in previous step.

5. microservices do their job and gateway gets the final response from them.

6. Now, I want to set the new cookies that has been received from the ext authz in the response. But looking at the document, it seems impossible or maybe I didn’t understand well.

The current properties for external authz in Istio are:

  • includeHeadersInCheck: I should set “cookie” header in this property
  • headersToUpstreamOnAllow: I should set “x-auth-principal” and “x-auth-attributes” headers in this property
  • headersToDownstreamOnDeny: I should set “Set-Cookie” header in this property. So if there’s any problem with tokens, I can delete cookies when the request is not authorized

Now, I think I need a property like “headersToDownstreamOnAllow” and also put “Set-Cookie” in it so it can set new refreshed tokens in cookies for the client.

Please also take a look at this issue for Envoy on Github which someone asked for a similar feature and I think it has been implemented in Istio if I’m not mistaken:

Question: set-cookie on client response in successful ExtAuthz response #7986

Any help would be greatly appreciated.

Kind regards

@YangminZhu could you please take a look?

Thanks for the detail description, I think this is a very valid use case and feel free to open an issue for the feature request on github.

We just need to support the allowed_client_headers_on_success field (Added in Envoy in ext_authz: support response headers on OK authorization checks by esmet · Pull Request #14514 · envoyproxy/envoy · GitHub) in the ext authz extension provider.