Using Istio to perform end-user authentication

Can anyone help on using Istio to perform end-user authentication, meaning apps won’t contain any authentication logic! Authentication, for user access to an application, will be done at the Istio Gateway. Preferably, the IdP with be external - Okta, for example.

1 Like

@incfly could you take a look? Right now we have can have plain text mode to bypass the authentication steps. Do we support some plugin idp with external?

1 Like

Thank you for the attention. While I await @incfly , @William_Li … can you explain: " we have can have plain text mode to bypass the authentication steps." Thank you.

As for plaintext mentioned by @William_Li , i dont think it’s relevant.

1 Like

@incfly , apologies for this noob question, but I’m new to implementing authentication and authorization and unsure what typical patterns look like.

Ideally I’d like to handle authn and authz for my whole mesh, but am unclear where the information about users should be kept. Is it on me to keep a database of users and their attributes/roles/claims for RBAC, or is it appropriate to just use authn scopes as I understand both of the resources you link suggest? In the latter case, do I keep a database of which authn identities match which users?

Any thoughts or even suggested resources would be much appreciated. Thanks!

@yovizzle , …“am unclear where the information about users should be kept” - in my case the users are maintained by the Identity Provider (IdP) - Okta to be exact. @incfly , thanks for the reply. I earlier toyed with the JetStack blog. I was almost there using ISTIO’s Authz and Authn implementations: ```
AuthorizationPolicy and RequestAuthentication. I got stuck with Okta which I believe is not fully compliant with their jwksUri. Also, injecting the jwt token back in the header was difficult - the callback endpoint being the issue. Think with their purchase of Auth0 I will be successful. I had a little success with the google jwt token. Just wanted to read another example of the Jetstack implementation. Again THANK YOU!