I am trying to use as a authentication middleware with istio but I see that it always proxies the request and tries to send it to upstream itself instead of just returning a response to istio. What I want to achieve is that when any of the app URLs is accessed, istio should forward the request to oauth2-proxy which in turn should check for a valid session and if not present initiate the auth code flow. Once the flow is successfully complete,it should set the cookie and redirect back to the original URL. After this point whenever any URL is accessed, oauth2-proxy should just check for the valid session and respond back to istio so that istio gateway can then send the request to upstream. But with my setup oauth2-proxy is trying to send the request to upstream itself.
In istio I have set the envoyfilter like below:
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: oauth-proxy
namespace: istio-system
spec:
configPatches:
- applyTo: HTTP_FILTER
match:
context: GATEWAY
listener:
filterChain:
filter:
name: envoy.filterswork.http_connection_manager
subFilter:
name: envoy.filters.http.router
patch:
operation: INSERT_BEFORE
value:
name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
uri: :80
cluster: outbound|80||oauth2-proxy.default.svc.cluster.local
timeout: 5s
authorization_request:
allowed_headers:
patterns:
- exact: "cookie"
- exact: "authorization"
authorization_response:
allowed_upstream_headers:
patterns:
- exact: "set-cookie"
- exact: "authorization"
workloadSelector:
labels:
app: istio-ingress
And have configured oauth2-proxy with the following options:
email_domains = [ "*" ]
oidc_issuer_url = ";
provider = "keycloak-oidc"
redirect_url = ";
skip_provider_button = "true"
insecure_oidc_allow_unverified_email = "true"
reverse_proxy = "true"
Is there something wrong with this config ?