Comments (2)
cfryanr
commented on September 21, 2024
It appears that you can configure the ext_authz filter to be skipped based on paths, so maybe the authservice does not need to also this kind of configuration option itself?
from authservice.
cfryanr
commented on September 21, 2024
We tried using Istio's EnvoyFilter to configure the Envoy ext_authz settings for skipping specific paths, but it does not seem possible.
We were allowed to use a MERGE operation with applyTo VIRTUAL_HOST to insert a route into the default virtual host, but it always merges by inserting it at the end of the array, and we need it to be at the start of the array because the default is for path "/" and we want to put more specific paths in the array before that. The docs say that INSERT_BEFORE is not supported with an applyTo HTTP_ROUTE or ROUTE_CONFIGURATION (see https://istio.io/docs/reference/config/networking/envoy-filter/#EnvoyFilter-ApplyTo).
It seems like we do need a feature in the authservice's config to skip auth for certain paths.
Note that the Istio JWT filter has a similar configuration option (see triggerRules on https://istio.io/docs/reference/config/security/istio.authentication.v1alpha1/#Jwt) so there is precedence for having such an option on a filter. That option allows users to use complex AND and OR logic on each request to decide if a JWT should be required based on path. Perhaps the authservice should have a similar configuration option. The Istio JWT filter implements this logic in a helper class.
When the Istio authn policy is applied, Pilot translates it into an envoy filter chain which has an envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication envoy filter with allow_missing_or_failed turned on, followed by an Istio istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig which actually does the path checking. The trigger_rules live on the second filter only. If we were to someday enhance the Istio JwtAuthentication policy to allow the authservice to be enabled/configured, then it would need to also give a copy of the trigger_rules to the authservice filter, which would be inserted into the filter chain before both of the others.
from authservice.
Related Issues (20)
- Websocket connections not possible because '/path?access_token=<JWT>' not handled in ODIC filter
- Feature Request - Support Redis TTL HOT 1
- integration with ADFS fails due to unable to shutdown connection for ssl stream HOT 2
- Better connection management for http host
- Concurrency Issues HOT 1
- Doc/example desired for trigger_rules
- Performance issues under minimal load
- HTTP Redirects end up with lost token information HOT 3
- Redis error during high traffic times
- How to set the client secret from an existing kubernetes secret? HOT 1
- Question on implementing multitenancy with istio/keycloak/authservice HOT 1
- Other flows particularly client credentials flow(machine2machine) HOT 1
- Does authservice only works for SPA app or can work for server side calls from client?
- Failed to login, get "Oops, your session has expired. Please try again." HOT 2
- Merge authservice-go into the main project as a v1 version HOT 4
- Microsoft Identity JWKS "alg" issue HOT 4
- Possible regression: case-sensitive validation of token_type
- Single Sign-on issue: loading previous user Session HOT 1
- Session hijacking attack
- Support `:` in client ID
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authservice.