Use Istio for authorisation: how to redirect to login page and how to use JWT cookies

jenny · November 23, 2020, 10:02am

Hi,

I’m trying to remove user authorization built-in to the applications and move then to istio. In the past i have been able to use RequestAuthentication and AuthorizationPolicy with JWT to secure public restful services. This time its a front-end

We use keycloak OIDC and currently we use lua inside an openresty container to obtain the JWT cookie and based on that the user is either redirected to keycloak’s login page, is granted access or if the user does not have the proper role, we send back a 403 error page.

I have the following questions:

How can i have istio/envoy redirect when they need to login?
can i use fromHeaders to obtain the JWT from keycloak’s cookies?

tx.,

jenny · November 23, 2020, 4:10pm

I believe i have to add oauth2-proxy in the mix and perhaps use an EnvoyFilter?

Hoping for a simpler solution. Any help is welcome,

tx

leitang · November 23, 2020, 5:48pm

As it is related to AuthorizationPolicy, cc @YangminZhu.

YangminZhu · November 25, 2020, 2:40am

you can probably check this blog that tells how to integrate oauth-proxy with istio using EnvoyFilter: https://www.paraesthesia.com/archive/2020/09/03/setting-up-oauth2-proxy-with-istio/, we are also working to provide first-class support for such use cases, see the design doc here https://docs.google.com/document/d/1V4mCQCw7mlGp0zSQQXYoBdbKMDnkPOjeyUb85U07iSI/edit#
the fromHeaders is used when the JWT token is stored in a different header (the default is Authorization header) in the request. Do you mean you want to verify the JWT token from keycloak stored in some custom header? Also note the request authentication policy doesn’t support opaque cookie, it only supports JWT token.

jenny · November 25, 2020, 1:23pm

Thanks for your reply and link!

I was on a similar path, but this helped tremendously. I got to the point where i can login, but my application fails with RBAC: access denied.

I also don’t see any headers in the envoy rbac debug that the envoy proxy can use to authenticate. I do see the cookie', '_oauth2_proxy, but no Authorization header (or X-Forwarded-Access-Token). I did configure oauth2-proxy to pass those:

- '--pass-access-token=true'     #pass token as X-Forwarded-Access-Token
- '--pass-authorization-header=true' # pass OIDC IDToken
- '--set-authorization-header=true'
- '--skip-jwt-bearer-tokens=true' # sets the Authorization Bearer response header
- '--upstream=static://'

But these don’t end up at the app’s envoy proxy. Any ideas?

jenny · November 25, 2020, 1:43pm

With --set-xauthrequest=true i am getting the x-auth-request-access-token as a header, but i am not able to set the other headers

For now i’ll use

fromHeaders:
  - name: x-auth-request-access-token

YangminZhu · February 19, 2021, 1:59am

We now have better support of integrating external authz in Istio 1.9, check the task Istio / External authorization with custom action and the blog Istio / Better External Authorization for more info.

Specifically for oauth2-proxy, you could try with the following configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - args:
        - --http-address=127.0.0.1:4180
        - --provider=google
        - --email-domain=*
        - --cookie-refresh=1h
        - --cookie-secure=false # Set to false for test environment only
        - --set-xauthrequest # X-Auth-Request-User, X-Auth-Request-Email, X-Auth-Request-Preferred-Username, X-Auth-Request-Groups
        - --pass-access-token # X-Auth-Request-Access-Token, must first enable --set-xauthrequest
        - --set-authorization-header # Authorization: Bearer <JWT>
        - --upstream="static://200"
        - --reverse-proxy
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          value: "<YOUR_CLIENT_ID>"
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: "<YOUR_CLIENT_SECRET>"
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: "<YOUR_COOKIE_SECRET>" # could be generated with python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.0.1
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
spec:
  selector:
    app: oauth2-proxy
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180

anmolagrawal23 · March 21, 2021, 1:03pm

@YangminZhu Similar to external authz, is there a plan to provide first-class support for Envoy oauth2 filter?