Unable to create API Authentication using Istio Ingress Gateway, OAuth2-Proxy and Keycloak

71 views Asked by At

I'm trying to create API Authentication for two apis using Istio Ingress Gateway, OAuth2-Proxy and Keycloak according to the following scheme: https://medium.com/@senthilrch/api-authentication-using-istio-ingress-gateway-oauth2-proxy-and-keycloak-part-2-of-2-dbb3fb9cd0d0

I cannot understand how to organize routing to the proper api after oauth2-proxy callback as far as url in state callback parameter does not contain prefix with api name any more.

I have two APIs (api1 and api2) and oauth2-proxy running in the same namespace.

I also have VirtualService configuration required for traffic routing within the Ingress Gateway:

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: some-virtual-service
  namespace: istio-system
spec:
  gateways:
    - some-gateway
  hosts:
    - some-host
  http:
    - match:
        - uri:
            prefix: /oauth2
      route:
        - destination:
            host: oauth2-proxy.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
            port:
              number: 80
    - match:
        - uri:
            prefix: /some-prefix/api1/
      rewrite:
        uri: ' '
      route:
        - destination:
            host: >-
              api1.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
            port:
              number: 80
    - match:
        - uri:
            prefix: /some-prefix/api2/
      rewrite:
        uri: ' '
      route:
        - destination:
            host: >-
              api2.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
            port:
              number: 80

I also have extensionProviders defined in Istio's config map:

kind: ConfigMap
apiVersion: v1
metadata:
  name: istio
data:
  mesh: |-
  ...
    extensionProviders:
      - name: oauth2-proxy
        envoyExtAuthzHttp:
          service: oauth2-proxy.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
          port: 80
          timeout: 1.5s
          includeHeadersInCheck: ["authorization", "cookie"]
          headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
          headersToDownstreamOnDeny: ["content-type", "set-cookie"]

There is also an AuthorizationPolicy in namespace-with-apps-and-oauth2-proxy with configuration:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  name: ext-authz-oauth2-proxy
  namespace: namespace-with-apps-and-oauth2-proxy
spec:
  action: CUSTOM
  provider:
    name: oauth2-proxy
  rules:
    - to:
        - operation:
            paths:
              - /*
  selector:
    matchLabels:
      app: api1

Now I'm trying to create authorization flow only for api1, but I'm going to develop this authorization flow for api2 too using another oauth2-proxy. Unfortunately, I can't create authorization flow because VirtualService removes prefix with api name from the url and oauth2-proxy callback returns url without this prefix. So I cannot understand how to organize routing to the proper api after oauth2-proxy callback as far as url does not contain prefix with api name any more. As a possible solution I need an opportunity to add a prefix to state parameter in oauth2-proxy callback url but I cannot find how to do it. Could you please suggest some fix to this problem?

Adding proxy-prefix does not help as it does not change state parameter in oauth2-proxy callback uri.

0

There are 0 answers