Use Istio for authorisation: how to redirect to login page and how to use JWT cookies

Security
1

Hi,

I’m trying to remove user authorization built-in to the applications and move then to istio. In the past i have been able to use RequestAuthentication and AuthorizationPolicy with JWT to secure public restful services. This time its a front-end

We use keycloak OIDC and currently we use lua inside an openresty container to obtain the JWT cookie and based on that the user is either redirected to keycloak’s login page, is granted access or if the user does not have the proper role, we send back a 403 error page.

I have the following questions:

  • How can i have istio/envoy redirect when they need to login?
  • can i use fromHeaders to obtain the JWT from keycloak’s cookies?

tx.,

2

I believe i have to add oauth2-proxy in the mix and perhaps use an EnvoyFilter?

Hoping for a simpler solution. Any help is welcome,

tx

3

As it is related to AuthorizationPolicy, cc @YangminZhu.

4

  1. you can probably check this blog that tells how to integrate oauth-proxy with istio using EnvoyFilter: https://www.paraesthesia.com/archive/2020/09/03/setting-up-oauth2-proxy-with-istio/, we are also working to provide first-class support for such use cases, see the design doc here Better External Authorization - Google Docs

  2. the fromHeaders is used when the JWT token is stored in a different header (the default is Authorization header) in the request. Do you mean you want to verify the JWT token from keycloak stored in some custom header? Also note the request authentication policy doesn’t support opaque cookie, it only supports JWT token.

5

Thanks for your reply and link!

I was on a similar path, but this helped tremendously. I got to the point where i can login, but my application fails with RBAC: access denied.

I also don’t see any headers in the envoy rbac debug that the envoy proxy can use to authenticate. I do see the cookie', '_oauth2_proxy, but no Authorization header (or X-Forwarded-Access-Token). I did configure oauth2-proxy to pass those:

- '--pass-access-token=true'     #pass token as X-Forwarded-Access-Token
- '--pass-authorization-header=true' # pass OIDC IDToken
- '--set-authorization-header=true'
- '--skip-jwt-bearer-tokens=true' # sets the Authorization Bearer response header
- '--upstream=static://'

But these don’t end up at the app’s envoy proxy. Any ideas?

6

With --set-xauthrequest=true i am getting the x-auth-request-access-token as a header, but i am not able to set the other headers

For now i’ll use

fromHeaders:
  - name: x-auth-request-access-token
7

We now have better support of integrating external authz in Istio 1.9, check the task Istio / External authorization with custom action and the blog Istio / Better External Authorization for more info.

Specifically for oauth2-proxy, you could try with the following configuration:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oauth2-proxy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: oauth2-proxy
  template:
    metadata:
      labels:
        app: oauth2-proxy
    spec:
      containers:
      - args:
        - --http-address=127.0.0.1:4180
        - --provider=google
        - --email-domain=*
        - --cookie-refresh=1h
        - --cookie-secure=false # Set to false for test environment only
        - --set-xauthrequest # X-Auth-Request-User, X-Auth-Request-Email, X-Auth-Request-Preferred-Username, X-Auth-Request-Groups
        - --pass-access-token # X-Auth-Request-Access-Token, must first enable --set-xauthrequest
        - --set-authorization-header # Authorization: Bearer <JWT>
        - --upstream="static://200"
        - --reverse-proxy
        env:
        - name: OAUTH2_PROXY_CLIENT_ID
          value: "<YOUR_CLIENT_ID>"
        - name: OAUTH2_PROXY_CLIENT_SECRET
          value: "<YOUR_CLIENT_SECRET>"
        - name: OAUTH2_PROXY_COOKIE_SECRET
          value: "<YOUR_COOKIE_SECRET>" # could be generated with python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'
        image: quay.io/oauth2-proxy/oauth2-proxy:v7.0.1
        imagePullPolicy: Always
        name: oauth2-proxy
        ports:
        - containerPort: 4180
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: oauth2-proxy
spec:
  selector:
    app: oauth2-proxy
  ports:
  - name: http
    port: 4180
    protocol: TCP
    targetPort: 4180
1 Like
8

@YangminZhu Similar to external authz, is there a plan to provide first-class support for Envoy oauth2 filter?

9

Probably in the future but no plans for now, I think the OAuth2 filter API is still in alpha and under active development, we probably need it to be in a more stable stage to have formal support in Istio.

10

@ YangminZhu,
I am trying to user Envoy oauth2 filter with OIDC client is set to public access(without credentials). I am getting below error requesting for client credentials, how to pass parameter OIDC client as public <pre>2023-03-08T10:32:58.742912Z warning envoy config external/envoy/source/common/config/grpc_subscription_impl.cc:128 gRPC config for type.googleapis.com/envoy.config.listener.v3.Listener rejected: Error adding/updating listener(s) virtualInbound: Proto constraint validation failed (OAuth2ValidationError.Config: embedded message failed validation | caused by OAuth2ConfigValidationError.Credentials: value is required): config { token_endpoint { </pre>