Combine JWT claim based routing and External Authorization #46638
Unanswered
JulianSchmidgall
asked this question in
Q&A
Replies: 1 comment
-
You could add a second AuthorizationPolicy that uses the apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: custom-authorization
spec:
selector:
matchLabels:
app: backend
action: CUSTOM
provider:
name: external-authz-http
rules:
- to:
- operation:
methods:
- "GET"
paths:
- "/foos" apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: backend-authorization
spec:
selector:
matchLabels:
app: backend
action: ALLOW
rules:
- to:
- operation:
methods:
- "GET"
paths:
- "/foos"
from:
- source:
requestPrincipals:
- https://keycloak-test.svc.cluster.local/auth/realms/foo-test/*
when:
- key: request.auth.claims[roles]
values:
[
"admin",
] |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi, I want to combine the two features JWT claim based routing and External Authorization. Are there any example or hints on how to get that running? 🚀
I started with setting up the External Authorization, which works fine. The oauth2-proxy adds an JWT to the request.
I further added a RequestAuthentication and a VirtualService:
When I send a request to the
/headers
endpoint I directly receive a HTTP 404 back. There is no redirect to the configured OAuth provider. Therefor I assume that once the request is routed, the validated JWT claims are not yet in the request.The endpoint
/no-headers
works as expected. The request got redirected to the OAuth provider.I would be happy about any hints on how to combine those two features. Thanks a lot!
Beta Was this translation helpful? Give feedback.
All reactions