does anyone have a example of oathkeeper with istio doesnt n Ory Community #talk-oathkeeper

Join Slack

does anyone have a example of oathkeeper with isti...

# talk-oathkeeper

adorable-byte-96872

05/18/2022, 2:02 PM

does anyone have a example of oathkeeper with istio? doesnt need to be generic, just need a starting point

happy-morning-85531

05/18/2022, 2:13 PM

what in particular do you need?

tall-angle-41306

05/18/2022, 5:13 PM

Do you mean for the EnvoyFilters?

tall-angle-41306

05/18/2022, 5:14 PM

This is what we used as a starting point if so; https://github.com/ory/oathkeeper/issues/624

adorable-byte-96872

05/19/2022, 3:38 AM

yeah i've read through that and added the filter but very new to istio. did you need to add a virtual service and destination rule for both kratos and oathkeeper?

happy-morning-85531

05/19/2022, 7:01 AM

With regards to the link above, i think a updated istio guide would be nice as that builds on older building blocks (the EnvoyFilter), now for auth use case you can use the ExternalAuth as an extension provider (https://istio.io/latest/docs/tasks/security/authorization/authz-custom/)

happy-morning-85531

05/19/2022, 7:03 AM

Theres a lot of unknowns as it all depends on your setup with gateways, virtualservices etc

happy-morning-85531

05/19/2022, 7:07 AM

But with istio you would probably use oathkeeper as just the decision api, and i've got it working by setting up a extension provider in the mesh setup as

Copy code

extensionProviders:
  - name: ext-authz
    envoyExtAuthzHttp:
      service: oathkeeper-api.ory.svc.cluster.local
      port: 4456
      timeout: 10s
      failOpen: false
      statusOnError: "500"
      pathPrefix: /decisions
      includeRequestHeadersInCheck: ["authorization", "cookie"] 
      headersToUpstreamOnAllow: ["authorization", "path"]

Then i can just create istio

AuthorizationPolicy

CRs which reference this. One example

Copy code

apiVersion: <http://security.istio.io/v1beta1|security.istio.io/v1beta1>
kind: AuthorizationPolicy
metadata:
  name: api-gateway
  namespace: istio-system
spec:
  action: CUSTOM
  provider:
    name: ext-authz
  rules:
  - to:
    - operation:
        hosts:
        - <http://api.dev.example.com|api.dev.example.com>
        notPaths:
        - /unsecured/*
  selector:
    matchLabels:
      app: istio-ingressgateway

tall-angle-41306

05/19/2022, 7:38 AM

@happy-morning-85531 Thanks for sharing that! Learnt something new there, we're using EnvoyFilters ourselves, but your solution might solve a few workarounds we've had to put in place for the filters!

happy-morning-85531

05/19/2022, 7:40 AM

you're welcome 🙂

adorable-byte-96872

05/19/2022, 12:02 PM

thanks a lot. I've finally got it using oathkeeper to decide whether the request is OK or not. the only thing left I hope 😄 is to work out how to reroute on auth fail. Ive noticed the normal "errors" property in access rules isnt available in the CRD rule object

happy-morning-85531

05/19/2022, 12:45 PM

If it fits your use case you can set global error handlers in the oath keeper config but maybe you need more granular than that

adorable-byte-96872

05/30/2022, 9:19 AM

had to drop it for a bit. just got time to get back on this but the redirect for auth fail just does nada. I have oathkeeper config set to:

Copy code

errors:
      fallback:
        - json

      handlers:
        redirect:
          enabled: true
          config:
            to: <http://myapp:30462/login>
            when:
              -
                error:
                  - unauthorized
                  - forbidden
                request:
                  header:
                    accept:
                      - text/html

But nothing happens. I just returns a 401 with content type application/json. Do you have any advice?

adorable-byte-96872

06/01/2022, 4:10 AM

turns out i needed to accept the "text/plain" header in the oathkeeper config and now it works! facepalm

356 Views

Open in Slack

Previous Next