Open erikschlegel opened 4 years ago
This feature is needed and is preventing my company from moving to the AG Ingress Controller. It would also be useful to have this feature working without having to run oauth2-proxy in the cluster.
@caya @erikschlegel Do either of you know if there has been an update on this ask? We have another customer with similar query as below:
"Does Application gateway ingress controller supports JWT validation? We need to perform JWT Oauth Token validation for all ingress activities in aks. Nginx support this feature through location / { proxy_pass: } Or annotations: nginx.ingress.kubernetes.io/auth-url: Does Application Gateway Ingress Controller(standard v2 sku) supports this functionality."
OAuth is not currently supported on AppGW, but is on our roadmap. Until we support it on AppGW, we won't have support for it on AGIC. I can update this thread once it's available on AppGW.
Is there a workaround for this? I'm trying to use oauth2 proxy image as a sidecar to things I want to add auth proxy. I'm getting some weird errors on oauth2 container. From what I read it seems like AGIC is rewriting some stuff oauth container was looking for like cookie, headers etc. Can I configure AGIC to be less abrasive?
Hi, are there any news on the subject?
There is a workaround with APIM + AGIC, but that is not feasible (because of high cost). Application Gateway should support Authentication similar to APIM.
are there any update on this?
@mscatyao is there any update on this?
@mscatyao is there any update on this?
@mscatyao Is this still on the roadmap for app gateway, and if so can you let us know what the timeframe is?
Do you have any news on that?
Any update on this?
Currently a blocker for us. @mscatyao do you have any updates?
What is the recommended pattern regarding exposing endpoints requiring oauth in AKS ? Is api manager the way to go ? My worry is the overhead associated with managing api manager and cost ?
Is there a workaround for this? I'm trying to use oauth2 proxy image as a sidecar to things I want to add auth proxy. I'm getting some weird errors on oauth2 container. From what I read it seems like AGIC is rewriting some stuff oauth container was looking for like cookie, headers etc. Can I configure AGIC to be less abrasive?
@alchemistake : Have you found a solution for this?
@mscatyao Any update on this ? Is there any ETA when this feature is supported on AppGW ?
Hello,
At this point, what are the alternatives to JWT token validation if the AGIC is still not ready to do this job?
Hello,
At this point, what are the alternatives to JWT token validation if the AGIC is still not ready to do this job?
I have been exploring this lately. The paid ingress controller options are not cheap...
Paid Ingress Controllers: Traefik Nginx Plus etc
Open Source: Isto Service Mesh Ingress Nginx + OAuth2-Proxy Ingress Nginx + ingress-nginx-validate-jwt (one instance can validate multiple Ingress objects) Ingress Nginx + OIDC-Guard supports JWT and cookie auth for web apps (one instance can validate multiple Ingress objects)
We have deployed https://github.com/oauth2-proxy/oauth2-proxy in front of some our workloads, works fine in combination with AGIC 👍 (not sure what problem @alchemistake encountered, maybe it was fixed in the meantime)
@sintetico82 If you are using istio, you can add authorization through Istio's AuthorizationPolicy with custom provider (in this case it is oauth2proxy (see @philippn's comment)). The flow should look like this:
Application Gateway -> AGIC (route all requests to istio ingress gateway) -> Istio Ingress Gateway + AuthorizationPolicy with Oauth2Proxy custom provider
We have deployed https://github.com/oauth2-proxy/oauth2-proxy in front of some our workloads, works fine in combination with AGIC 👍 (not sure what problem @alchemistake encountered, maybe it was fixed in the meantime)
Care to share some details on your setup? You've got AGIC working together with oauth2-proxy sidecars?
Sure, we have installed it via the Helm chart though, deployed separately to the upstream-service. However, it should be possible to adapt this setup to a sidecar and configure your own Ingress to point to the sidecar instead.
Here is what we do:
helm install release-name oauth2-proxy/oauth2-proxy --version 6.2.2 -f values.yaml
The redacted version of our values file can be found here. Basically, it sets up an Ingress for the OAuth proxy with TLS termination and configures OAuth proxy to talk to the target service inside the cluster via HTTP.
Hope that helps!
Sure, we have installed it via the Helm chart though, deployed separately to the upstream-service. However, it should be possible to adapt this setup to a sidecar and configure your own Ingress to point to the sidecar instead.
Followed this guide with some modifications for Azure AD via odic provider, works well thanks. However I believe this setup would still require a oauth2-proxy pod for each unique ingress one would like to set up?
Sure, we have installed it via the Helm chart though, deployed separately to the upstream-service. However, it should be possible to adapt this setup to a sidecar and configure your own Ingress to point to the sidecar instead.
Followed this guide with some modifications for Azure AD via odic provider, works well thanks. However I believe this setup would still require a oauth2-proxy pod for each unique ingress one would like to set up?
Yes, that is correct.
There is a workaround with APIM + AGIC, but that is not feasible (because of high cost). Application Gateway should support Authentication similar to APIM.
I need two things to protect my API endpoints:
-- JWT token verification (through the use of jwks_uri inside the .well-know URL of OpenID Connect (OIDC) standard) -- HTTP Basic authentication
I understand I can use APIM (Azure API Management) for both...is it right?
@hovermind can you kindly give me some link/document/resource where I can understand more about configuring this "workaround"?
@omeryesil I am scared to introduce Istio to the AKS cluster. There is no official documentation from Microsoft, and they look like they don't encourage using it.. (https://learn.microsoft.com/en-us/azure/aks/servicemesh-about).
@sintetico82 istio does work with aks for at least 4 years already without any issues. but introducing istio just for JWT token verifications seems like an overkill
@4c74356b41 Yes, I agree with you that that is overkill just for JWT.
Anyway, I decide to use Azure API Management in the end. It has a specific policy for JWT validation and works very well, but overall API Management introduced to me also some big disadvantages in his Premium tier in internal mode (internal network):
In my opinion, AGIC is not mature yet for the business scenarios and i think these feature are not implemented for force people to use more expensive service like API Management.
I can't believe that AGIC does not support oauth2 authentication out of the box in 2023...
OAuth is not currently supported on AppGW, but is on our roadmap. Until we support it on AppGW, we won't have support for it on AGIC. I can update this thread once it's available on AppGW.
any update after two years?
FWIW Microsoft Learn's kubecost tutorial touches the implementation of an oauth2-proxy while using AGIC as an ingress controller
This is a bit disappointing, I'll need to invest some time into the work arounds.
Any updates?
Is your feature request related to a problem? Please describe. The customer I'm working with requires JWT OAUTH2 token validation for all ingress activity. We're unclear with available approaches for setting up an authentication proxy for our frontend AGIC route. Our identity provider is AAD.
Nginx supports service authentication today
Are there any alternative approaches that would support this use-case?
Describe the solution you'd like A new annotation in the AGIC where we can provide the authentication url and signin endpoint for the ingress controller.