I setup Istio, Oauth2-proxy to secure my app. After I hit the protected endpoint, the auth flow works good and session cookie is set as normal. But in my backend service(httpbin), there is no Authorization header. I print log in Istio cidecar and found Authorization RESPONSE header in Oauth2-proxy cidecar but NOT in REQUEST headers in backend service httpbin.
accessLogFormat: "[%START_TIME%] %REQ(:METHOD)%
%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL% %RESPONSE_CODE%
%REQ(AUTHORIZATION)% %REQ(x-auth-request-email)% %RESP(AUTHORIZATION)% %RESP(x-auth-request-email)%"
kubectl logs -l app=istio-ingressgateway -c istio-proxy -n istio-system
[2023-11-07T14:14:38.297Z] GET /get HTTP/1.1 200 - xxx@gmail.com - -
kubectl logs -l app=oauth2-proxy -c istio-proxy -n oauth2-proxy
[2023-11-07T14:14:38.298Z] GET /get HTTP/1.1 200 - - Bearer veryloooogtoken xxx@gmail.com
kubectl logs -l app=httpbin -c istio-proxy -n sololude
[2023-11-07T14:14:38.304Z] GET /get HTTP/1.1 200 - xxx@gmail.com - -
This is my mesh config:
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
meshConfig:
accessLogFile: /dev/stdout
accessLogFormat: "[%START_TIME%] %REQ(:METHOD)%
%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL% %RESPONSE_CODE%
%REQ(AUTHORIZATION)% %REQ(x-auth-request-email)% %RESP(AUTHORIZATION)% %RESP(x-auth-request-email)%"
extensionProviders:
- name: oauth2-proxy
envoyExtAuthzHttp:
service: oauth2-proxy.oauth2-proxy.svc.cluster.local
port: 4180
# headers sent to the oauth2-proxy in the check request.
includeRequestHeadersInCheck:
- authorization
- cookie
# headers sent to backend application when request is allowed.
headersToUpstreamOnAllow:
- authorization
- path
- x-auth-request-user
- x-auth-request-email
- x-auth-request-access-token
# headers sent back to the client when request is denied.
headersToDownstreamOnDeny:
- content-type
- set-cookie
# headers sent back to the client when request is allowed.
headersToDownstreamOnAllow:
- content-type
- set-cookie
includeAdditionalHeadersInCheck:
"X-Auth-Request-Redirect": "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
Auth policy:
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: istio-ingressgateway
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
jwtRules:
- issuer: https://account.sololude.com
jwksUri: https://account.sololude.com/oauth2/jwks
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: istio-ingressgateway
namespace: istio-system
spec:
selector:
matchLabels:
istio: ingressgateway
action: CUSTOM
provider:
name: oauth2-proxy
rules:
- to:
- operation:
hosts:
- demo.test
paths:
- /api/user
- /get
- /headers
Oauth2-proxy config:
apiVersion: v1
kind: Secret
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
stringData:
OAUTH2_PROXY_CLIENT_ID: client_id
OAUTH2_PROXY_CLIENT_SECRET: client_secret
# OAUTH2_PROXY_REDIRECT_URL: http://demo.test:3000/api/auth/callback
OAUTH2_PROXY_REDIRECT_URL: http://demo.test/oauth2/callback
# https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview/#generating-a-cookie-secret
OAUTH2_PROXY_COOKIE_SECRET: YJCuPn0MyZFTAHvUnwYMhSSsgupY2BhEwvAW5_aBayA=
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: oauth2-proxy
spec:
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.2.0
args:
- --http-address=0.0.0.0:4180
- --provider=oidc
- --oidc-issuer-url=https://account.sololude.com
- --email-domain=*
- --cookie-refresh=1h
- --cookie-secure=false
- --set-xauthrequest
- --pass-access-token
- --set-authorization-header
- --upstream=static://200
- --reverse-proxy
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: OAUTH2_PROXY_CLIENT_ID
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: OAUTH2_PROXY_CLIENT_SECRET
- name: OAUTH2_PROXY_REDIRECT_URL
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: OAUTH2_PROXY_REDIRECT_URL
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy
key: OAUTH2_PROXY_COOKIE_SECRET
resources:
requests:
cpu: 10m
memory: 100Mi
limits:
cpu: 100m
memory: 1000Mi
ports:
- containerPort: 4180
protocol: TCP
readinessProbe:
periodSeconds: 3
httpGet:
path: /ping
port: 4180
Ingress gateway:
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: sololude-gw-http
namespace: sololude
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: web-vs
namespace: sololude
spec:
hosts:
- "*"
gateways:
- sololude-gw-http
http:
- name: "oauth2-proxy-route"
match:
- uri:
prefix: "/oauth2"
route:
- destination:
host: oauth2-proxy.oauth2-proxy.svc.cluster.local
port:
number: 4180
- name: "default-route"
route:
- destination:
host: httpbin
port:
number: 8000
Istio Version
client version: 1.19.3
control plane version: 1.19.3
data plane version: 1.19.3 (3 proxies)