Istio OIDC Authentication with OAuth2-Proxy

Nandan B N
3 min readAug 9, 2021

--

We usually come across various scenarios in every aspect of implementation for which we don’t find a straight solution. One such scenario was implementing external authorization with Istio.

Since Istio uses Envoy as its proxy which is flexible and highly configurable, it is possible to implement external authorization using custom EnvoyFilter to intercept the requests and forward them to external auth provider with oauth2-proxy (Reference). But how can we simplify this now?

Let’s see

From Istio 1.9, they have implemented extensibility into authorization policy by introducing a CUSTOM action, which allows you to delegate the access control decision to an external authorization service and makes it super easy to configure external authorization with just a simple custom resource.

The CUSTOM action with provider configuration allows us to integrate Istio with an external authorization system at gateway/sidecar proxy that implements its custom authorization logic.

At runtime,

  1. Based on the AuthorizationPolicy config, the request is intercepted by the proxy (Gateway/Sidecar), and the proxy will send check requests to the external auth service.
  2. The external auth service will decide whether to allow it or not.
  3. If allowed, the request will continue and will be enforced by any local authorization defined by ALLOW/DENY action. The respectively configured headers will be forwarded to the actual service from the oauth2-proxy.
  4. If denied, the request will be rejected immediately and the deny headers will be forwarded back to the requested client.

Oauth2-Proxy

To forward the requests to the external authentication Oauth2/OIDC provider we must have an interceptor service.
We’ll be using oauth2-proxy which will forward the unauthenticated requests to an external provider. Then from the provider’s callback response it retrieves the token, validates it, gets required users’ info, and forwards necessary details to the application service via headers.

Setting up Oauth2-Proxy

OAuth2-Proxy provides official helm charts and we can spin up the oauth2-proxy pod easily by doing helm install.

Before going to install charts we have to update the values.yaml with external auth providers (such as Google Oauth, AWS Cognito, Github, etc.,) details i.e., client_id, client_secret, issuer_url, etc.

Replace with respective values which are mentioned within “< >” as shown in the above example. Once we update with the respective values of Auth provider we want, we are good to install the oauth2-proxy helm chart in our cluster.
We can install by using the below commands and verify if oauth2-proxy is running successfully.

helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
helm install oauth2-proxy oauth2-proxy/oauth2-proxy -f updated_values.yaml

Istio Configuration

External Providers

Once we have oauth2-proxy up and running, Istio should forward the desired request to oauth2-proxy which will authorize the request and forward it to the respective service.
To do that we should update the external provider’s configuration in the Istio profile under meshConfig as shown below.

After updating the Istio profile with the above config, we have to apply the changes. Let’s do it by using below command:

istioctl install -f updated-profile.yaml

Authorization Policy

Now we have the external provider and oauth2-proxy in place. The last thing is we should have rules defined based on which the requests will be intercepted. To achieve this Istio gives us a custom resource called AuthorizationPolicy using which we can easily define rules.

Example: Authorize requests coming from domain “demo.example.com” or requests having path prefix “/api”

Let’s look at a sample example:

After applying the above `AuthorizationPolicy`, all the requests coming to “demo.example.com” will be routed through oauth2-proxy for authorization.

That’s it, we have externalized the authorization implementation leveraging Istio and Oauth2-proxy capability.

To summarize, we are using oauth2-proxy to handle external authorization request and Istio will to configure dynamic rules based on which the requests must be authorized.

Overall Flow: Incoming Request -> Istio Ingress Gateway -> Authorization Policy -> Oauth2-Proxy -> if(authorized) Application Service -> else Rejected Unauthorized.

Hope this article gives a glimpse on implementing external authorization using Istio and Oauth2-Proxy. I would love to answer your questions or doubts and leave claps if you find this helpful.

--

--

Nandan B N

Polyglot developer passionate about every technology, exploring them one by one and helping the community along the way. 😉