Istio OIDC Authentication with OAuth2-Proxy

Let’s see

From Istio 1.9, they have implemented extensibility into authorization policy by introducing a CUSTOM action, which allows you to delegate the access control decision to an external authorization service and makes it super easy to configure external authorization with just a simple custom resource.

  1. The external auth service will decide whether to allow it or not.
  2. If allowed, the request will continue and will be enforced by any local authorization defined by ALLOW/DENY action. The respectively configured headers will be forwarded to the actual service from the oauth2-proxy.
  3. If denied, the request will be rejected immediately and the deny headers will be forwarded back to the requested client.

Oauth2-Proxy

To forward the requests to the external authentication Oauth2/OIDC provider we must have an interceptor service.
We’ll be using oauth2-proxy which will forward the unauthenticated requests to an external provider. Then from the provider’s callback response it retrieves the token, validates it, gets required users’ info, and forwards necessary details to the application service via headers.

Setting up Oauth2-Proxy

OAuth2-Proxy provides official helm charts and we can spin up the oauth2-proxy pod easily by doing helm install.

helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
helm install oauth2-proxy oauth2-proxy/oauth2-proxy -f updated_values.yaml

Istio Configuration

External Providers

Once we have oauth2-proxy up and running, Istio should forward the desired request to oauth2-proxy which will authorize the request and forward it to the respective service.
To do that we should update the external provider’s configuration in the Istio profile under meshConfig as shown below.

istioctl install -f updated-profile.yaml

Authorization Policy

Now we have the external provider and oauth2-proxy in place. The last thing is we should have rules defined based on which the requests will be intercepted. To achieve this Istio gives us a custom resource called AuthorizationPolicy using which we can easily define rules.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nandan B N

Nandan B N

Polyglot developer passionate about every technology, exploring them one by one and helping the community along the way. 😉