I'm trying to create API Authentication for two apis using Istio Ingress Gateway, OAuth2-Proxy and Keycloak according to the following scheme: https://medium.com/@senthilrch/api-authentication-using-istio-ingress-gateway-oauth2-proxy-and-keycloak-part-2-of-2-dbb3fb9cd0d0
I cannot understand how to organize routing to the proper api after oauth2-proxy callback as far as url in state
callback parameter does not contain prefix with api name any more.
I have two APIs (api1 and api2) and oauth2-proxy running in the same namespace.
I also have VirtualService configuration required for traffic routing within the Ingress Gateway:
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: some-virtual-service
namespace: istio-system
spec:
gateways:
- some-gateway
hosts:
- some-host
http:
- match:
- uri:
prefix: /oauth2
route:
- destination:
host: oauth2-proxy.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
port:
number: 80
- match:
- uri:
prefix: /some-prefix/api1/
rewrite:
uri: ' '
route:
- destination:
host: >-
api1.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
port:
number: 80
- match:
- uri:
prefix: /some-prefix/api2/
rewrite:
uri: ' '
route:
- destination:
host: >-
api2.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
port:
number: 80
I also have extensionProviders defined in Istio's config map:
kind: ConfigMap
apiVersion: v1
metadata:
name: istio
data:
mesh: |-
...
extensionProviders:
- name: oauth2-proxy
envoyExtAuthzHttp:
service: oauth2-proxy.namespace-with-apps-and-oauth2-proxy.svc.cluster.local
port: 80
timeout: 1.5s
includeHeadersInCheck: ["authorization", "cookie"]
headersToUpstreamOnAllow: ["x-forwarded-access-token", "authorization", "path", "x-auth-request-user", "x-auth-request-email", "x-auth-request-access-token"]
headersToDownstreamOnDeny: ["content-type", "set-cookie"]
There is also an AuthorizationPolicy in namespace-with-apps-and-oauth2-proxy with configuration:
apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
name: ext-authz-oauth2-proxy
namespace: namespace-with-apps-and-oauth2-proxy
spec:
action: CUSTOM
provider:
name: oauth2-proxy
rules:
- to:
- operation:
paths:
- /*
selector:
matchLabels:
app: api1
Now I'm trying to create authorization flow only for api1, but I'm going to develop this authorization flow for api2 too using another oauth2-proxy. Unfortunately, I can't create authorization flow because VirtualService removes prefix with api name from the url and oauth2-proxy callback returns url without this prefix. So I cannot understand how to organize routing to the proper api after oauth2-proxy callback as far as url does not contain prefix with api name any more. As a possible solution I need an opportunity to add a prefix to state parameter in oauth2-proxy callback url but I cannot find how to do it. Could you please suggest some fix to this problem?
Adding proxy-prefix does not help as it does not change state
parameter in oauth2-proxy callback uri.