does anyone have a example of oathkeeper with isti...
# talk-oathkeeper
a
does anyone have a example of oathkeeper with istio? doesnt need to be generic, just need a starting point
h
what in particular do you need?
t
Do you mean for the EnvoyFilters?
This is what we used as a starting point if so; https://github.com/ory/oathkeeper/issues/624
a
yeah i've read through that and added the filter but very new to istio. did you need to add a virtual service and destination rule for both kratos and oathkeeper?
h
With regards to the link above, i think a updated istio guide would be nice as that builds on older building blocks (the EnvoyFilter), now for auth use case you can use the ExternalAuth as an extension provider (https://istio.io/latest/docs/tasks/security/authorization/authz-custom/)
Theres a lot of unknowns as it all depends on your setup with gateways, virtualservices etc
But with istio you would probably use oathkeeper as just the decision api, and i've got it working by setting up a extension provider in the mesh setup as
Copy code
extensionProviders:
  - name: ext-authz
    envoyExtAuthzHttp:
      service: oathkeeper-api.ory.svc.cluster.local
      port: 4456
      timeout: 10s
      failOpen: false
      statusOnError: "500"
      pathPrefix: /decisions
      includeRequestHeadersInCheck: ["authorization", "cookie"] 
      headersToUpstreamOnAllow: ["authorization", "path"]
Then i can just create istio
AuthorizationPolicy
CRs which reference this. One example
Copy code
apiVersion: <http://security.istio.io/v1beta1|security.istio.io/v1beta1>
kind: AuthorizationPolicy
metadata:
  name: api-gateway
  namespace: istio-system
spec:
  action: CUSTOM
  provider:
    name: ext-authz
  rules:
  - to:
    - operation:
        hosts:
        - <http://api.dev.example.com|api.dev.example.com>
        notPaths:
        - /unsecured/*
  selector:
    matchLabels:
      app: istio-ingressgateway
t
@happy-morning-85531 Thanks for sharing that! Learnt something new there, we're using EnvoyFilters ourselves, but your solution might solve a few workarounds we've had to put in place for the filters!
h
you're welcome 🙂
a
thanks a lot. I've finally got it using oathkeeper to decide whether the request is OK or not. the only thing left I hope 😄 is to work out how to reroute on auth fail. Ive noticed the normal "errors" property in access rules isnt available in the CRD rule object
h
If it fits your use case you can set global error handlers in the oath keeper config but maybe you need more granular than that
a
had to drop it for a bit. just got time to get back on this but the redirect for auth fail just does nada. I have oathkeeper config set to:
Copy code
errors:
      fallback:
        - json

      handlers:
        redirect:
          enabled: true
          config:
            to: <http://myapp:30462/login>
            when:
              -
                error:
                  - unauthorized
                  - forbidden
                request:
                  header:
                    accept:
                      - text/html
But nothing happens. I just returns a 401 with content type application/json. Do you have any advice?
turns out i needed to accept the "text/plain" header in the oathkeeper config and now it works! facepalm
234 Views