Leverage Single Sign-On with oauth2-proxy and Istio
Not every application we found has a single sign-on build-in feature, this is a little tricky if you want to make it public but only want to provide access to the authenticated user. Luckily, there is an open-source project call oauth2-proxy that acts as a middleware as an authenticating system.
From my understanding, only using oauth2-proxy is not enough, because every application should have an oauth2-proxy service in front of them. With Istio, we can use a single oauth2-proxy for every endpoint/service/domain that we want to expose to the public.
You can run oauth2-proxy as a service in Kubernetes or VM, we can use helm charts for that. You can refer to this official site.
I am using Keycloak as a identity provider, the helm charts values look like this
For logging, it’s up to you to set the value to true or false, after you deploy the oauth2-proxy service, you need to expose your application via Istio ingress gateway
I will use Kubernetes dashboard as a example service, an example how to expose a service via ingressgateway
after exposing the service, we need to setup an EnvoyFilter to start redirection for unauthentication users. This EnvoyFilter will works on Istio ingressgateway.
the most important part is the SNI matching only your service and server_uri which is your oauth2-proxy service. After applying this, when you access the service, it will force you to login before sending to the upstream service which is Kubernetes dashboard.
The concept behind External Authorization is istio:
first-time requests, packet go to Istio ingressgateway, got forwarded to oauth2-proxy service via external authz envoyfilter
oauth2-proxy check that authentication is missing, force client to log in and redirected to the authentication provider
client login, login success, the OAuth tokens are stored in the configured session store (cookie or Redis in oauth2-proxy) and a cookie is set in the client
client get callback URL
client do requests again, go to istio ingressgateway, forwarded to oauth2-proxy
oauth2-proxy verify the credentials, return 200 OK to Istio, Istio forward to upstream