Authentication And Authorization Using Istio and OAuth2 Proxy Without App Code Change
In today’s world where we have many IDPs(Identity Providers) such as Google, Microsoft, FaceBook etc and as we are using more and more microservices architecture, it can be good idea to separate out that responsibility from applications/microservices.
If you are running your microservices on Kubernetes(self hosted or cloud hosted) — we can have couple of options such as using sidecar or ingress controller. Both have some drawbacks, with sidecar, you need to integrate with microservice helm chart or deployment yaml, reverse proxy handling can be pain. Other hand with Ingress Controller you can totally separate out those configuration. But managing Ingress Controller if you have many microservices can be challenging too.
Working on these requirements, I found a very good open source tooling as OAuth2 Proxy.
Oauth2 Proxy can integrate with multiple well known IDPs and can provide a way to implement Authentication and Authorization. You can also map and filter header information with handle of JWT token such as id_token, access_token and refresh_token.
You can easily use NGINX as ingress controller with Kubernetes but that can only provide Authentication not Authorization.
I found that with Istio, it is possible to get both Authentication and Authorization using External Authorizer and Authorization Policy.
Key is to use OAuth2 Proxy as istio External Authorizer with istio Allow and Deny Authorization Policies with IDPs roles(in my case Azure AD roles).
Below is one of the example using Istio sample BookInfo application(set of microservices)
Please look my brief videos on Oauth2 Proxy where I covered Authentication using NGINX and Authentication/Authorization using Istio with help of Oauth2 proxy.
https://www.youtube.com/playlist?list=PLqHf_28zy3ro_J8Ca4u6-dD5iYbbgNeYS
