CODEWITHSUNDEEP
node.jsauthenticationkubernetesmicroservicesistio
BoeingK8
BoeingK8

Reputation: 41

Need assistance with custom authentication in Istio/kubernates

I am new to Istio and I have learned a lot and applied to my project which consist of many Microservices. I am stuck in Authentication when it comes to using Istio

So the issue is this. Istio offers authentication which involves using Oauth google, Oauth or any other provider. and Once we do this, we can setup AuthPolicy and define which microservices we want it to apply to. I have attached my auth policy yaml and it works fine. Now may project at Job requires me to use custom auth also. In other words, I have one microservice which handles authentication. This auth microservice has three end points /login ,/singup, /logout and /auth. Normally, In my application, I would call /auth as a middleware to before I make any other call to make sure the user is logged in. /auth in my microservice reads jwt token I stored in a cookie when I logged in at a first place and check if it is valid. Now my question is how to add my custom authentication rather than using Oauth?. Now as you know auth policy.yaml I attached will trigger auth check at sidecar proxy level; so I don't need to direct my traffic to ingress gateway; that means my gateway takes care of mtls while sidecar takes care of jwt auth check. So how to plug in my custom auth in policy.yaml or another way such that "I don't need to redirect my all traffic to ingress gateway".

In short please help me with how to add my custom auth jwt check-in policy.yaml like in the picture or any other way and if required modify my auth [micro-service][1] code too. People suggest redirecting traffic to ingress gateway and add envoy filter code there which will redirect traffic to auth microservices. But I don't have to redirect my all calls to ingress gateway and run envoy filter there. I want to achieve what istio already doing by defining policy yaml and jwt auth check happens at sidecar proxy level suing policy.yaml; so we don't redirect traffic to ingress gateway.

Np: my all microservices are in ClusterIP and only my front end is exposed outside Looking forward to your help/advice

Heres my code for auth policy.yaml

apiVersion: "authentication.istio.io/v1alpha1"
kind: "Policy"
metadata:
  name: reshub
spec:
  targets:
  - name: hotelservice // auth check when ever call is made to this microservice
 peers:
  - mtls: {}
  origins:
  - jwt:
      issuer: "https://rshub.auth0.com/"
      jwksUri: "https://rshub.auth0.com/.well-known/jwks.json"
  principalBinding: USE_ORIGIN

here's my code for auth microservice just to show you my current log of checking jwt 

@app.route('/auth/varifyLoggedInUser',methods=['POST'])
def varifyLoggedInUser():
    isAuthenticated = False
    users = mongo.db.users 
    c = request.cookies.get('token')
    token = request.get_json()['cookie']
    print(token)
    if token:
        decoded_token = decode_token(token)
        user_identity =decoded_token['identity']['email']
        user = users.find_one({'email': user_identity,'token':token})
        if user:
            isAuthenticated = True     
    return jsonify({'isAuthenticated' : isAuthenticated,'token':c})

Upvotes: 4

Views: 799

Answers (1)

Dick Chesterwood
Dick Chesterwood

Reputation: 2659

Try the AuthService project here which seems to aim to improve this area of Istio, which is at the moment pretty deficient IMO:

https://github.com/istio-ecosystem/authservice

I think the Istio docs imply that it supports more than it really does - Istio will accept and validate JWT tokens for authorization but it provides nothing in the way of authentication.

Upvotes: 1

Related Questions