Istio supports AuthZ and AuthN serivces, but is there a way to implement a token validation via a proxy

Example: User/Client sends a request to Service-A, the request hits to istio-ingressGateway and Gateway validates the token via another service (Validation Service) if the token is valid user/client can get the user data if not send an error equivalent response

CodePudding user response：

You can write a micro-gateway service using Netflix Zuul which will be the landing service from your Istio Gateway. It can do quick token validation using Zuul filters and then forward the request to the desired service or return a token error response. You can use this service for issuing tokens and also hosting the JWK keys for JWT tokens. I've written a Java implementation for the same.

Otherwise, you can use an internal Nginx server as a landing for all your request and then use http_auth_request_module to do a quick auth and then proxy forward to other services. You can find it on Nginx documentation.

Unfortunately, I didn't find anything as such provided by Istio as of now.

CodePudding user response：

Posted community wiki answer for better visibility. As Tushar Mistry mentioned in the comments - problem is solved based on this article:

This was the second blog I found while searching oauth2-proxy with istio, he uses Envoy Filter for authorization, but latest istio provides external authorization Today I was successful in redirecting unauthorized request to oauth-proxy2 with istio external authorization, now facing problem after authentication says login failed CSRF token not found

and later:

Implemented this method sucessfully will share a blog if got time.

See also Better External Authorization.