Use Istio for authorisation: how to redirect to login page and how to use JWT cookies


I’m trying to remove user authorization built-in to the applications and move then to istio. In the past i have been able to use RequestAuthentication and AuthorizationPolicy with JWT to secure public restful services. This time its a front-end

We use keycloak OIDC and currently we use lua inside an openresty container to obtain the JWT cookie and based on that the user is either redirected to keycloak’s login page, is granted access or if the user does not have the proper role, we send back a 403 error page.

I have the following questions:

  • How can i have istio/envoy redirect when they need to login?
  • can i use fromHeaders to obtain the JWT from keycloak’s cookies?


I believe i have to add oauth2-proxy in the mix and perhaps use an EnvoyFilter?

Hoping for a simpler solution. Any help is welcome,


As it is related to AuthorizationPolicy, cc @YangminZhu.

  1. you can probably check this blog that tells how to integrate oauth-proxy with istio using EnvoyFilter:, we are also working to provide first-class support for such use cases, see the design doc here

  2. the fromHeaders is used when the JWT token is stored in a different header (the default is Authorization header) in the request. Do you mean you want to verify the JWT token from keycloak stored in some custom header? Also note the request authentication policy doesn’t support opaque cookie, it only supports JWT token.

Thanks for your reply and link!

I was on a similar path, but this helped tremendously. I got to the point where i can login, but my application fails with RBAC: access denied.

I also don’t see any headers in the envoy rbac debug that the envoy proxy can use to authenticate. I do see the cookie', '_oauth2_proxy, but no Authorization header (or X-Forwarded-Access-Token). I did configure oauth2-proxy to pass those:

- '--pass-access-token=true'     #pass token as X-Forwarded-Access-Token
- '--pass-authorization-header=true' # pass OIDC IDToken
- '--set-authorization-header=true'
- '--skip-jwt-bearer-tokens=true' # sets the Authorization Bearer response header
- '--upstream=static://'

But these don’t end up at the app’s envoy proxy. Any ideas?

With --set-xauthrequest=true i am getting the x-auth-request-access-token as a header, but i am not able to set the other headers

For now i’ll use

  - name: x-auth-request-access-token