oauth2 filter not working in istio with Keycloak

[ricosega]

Hi there,

I am using the stack "Istio - oauth2-proxy - Keycloak" for authentication in my apps and as I have seen the oauth2 filter I wanted to get rid of oauth2-proxy.

I followed this post in order to make it work with the only difference I am using Keycloak instead of GoogleOauth.

I applied the following .yaml

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
  name: oauth2-ingress
  namespace: istio-system
spec:
  workloadSelector:
    labels:
      istio: ingressgateway
  configPatches:
  - applyTo: HTTP_FILTER
    match:
      context: GATEWAY
      listener:
        filterChain:
          filter:
            name: "envoy.filters.network.http_connection_manager"
            subFilter:
              name: "envoy.filters.http.jwt_authn"
    patch:
      operation: INSERT_BEFORE
      value:
       name: envoy.filters.http.oauth2
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3alpha.OAuth2
         config:
          token_endpoint:
            cluster: oauth
            uri: https://keycloak.local/auth/realms/test/protocol/openid-connect/token
            timeout: 3s
          authorization_endpoint: https://keycloak.local/auth/realms/test/protocol/openid-connect/auth
          redirect_uri: "%REQ(x-forwarded-proto)%://%REQ(:authority)%/callback"
          redirect_path_matcher:
            path:
              exact: /callback          
          signout_path:
            path:
              exact: /signout
          credentials:
            client_id: test
            token_secret:
              name: token
              sds_config:
                path: "/etc/istio/config/oauth2/token-secret.yaml"
            hmac_secret:
              name: hmac
              sds_config:
                path: "/etc/istio/config/oauth2/hmac-secret.yaml"
          pass_through_matcher:
            - name: authorization
              prefix_match: Bearer
          auth_scopes:
            - profile
            - openid
            - email
          forward_bearer_token: true                 
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: istio-oauth2
  namespace: istio-system
data:
  token-secret.yaml: |-
    resources:
      - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
        name: token
        generic_secret:
          secret:
            inline_string: "NDgxODZjZDQtMTZmYy00NTc5LTkyNDgtZTVmNTcyZGIzYTEwCg=="
  hmac-secret.yaml: |-
    resources:
      - "@type": "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret"
        name: hmac
        generic_secret:
          secret:
            inline_bytes: XYJ7ibKwXwmRrO/yL/37ZV+T3Q/WB+xfhmVlio+wmc0=
            # generated using `head -c 32 /dev/urandom | base64`
---
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
  name: jwt-authentication
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  jwtRules:
    - issuer: "https://keycloak.local/auth/realms/test"
      jwksUri: "https://keycloak.local/auth/realms/test/protocol/openid-connect/certs"
      forwardOriginalToken: true
      audiences:
        - test
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: known-user
  namespace: istio-system
spec:
  selector:
    matchLabels:
      app: istio-ingressgateway
  rules:
  - when:
    - key: request.headers[Authorization]
      notValues:
      - 'Bearer*'
  - when:
    - key: request.auth.audiences
      values: 
        - 'test'
    - key: request.auth.presenter
      values:
        - test
---

And when I try to access any app I am properly redirected to Keycloak, then I input username and password but when I am redirected back to the app I get the following message: "OAuth flow failed".

What is wrong in my config? What I am missing?

[phlax]

cc @snowp

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

[andrewwebber]

Not sure if this helps but I had a similar issue with knative. It helped to configure an envoy instance manually (oauth2) to confirm it is was an envoy issue, istio issue or "key cloak" configuration issue. In the end i found it to be a knative/istio issue as when configured directly in envoy everything worked. For me the issue was the state being incorrect (http authority) resulting in the final phase failing in istio.

[ricosega]

@andrewwebber , yes, I should maybe ask this directly in istio because it could me more an istio issue.

[al-hy]

@ricosega I am running into the exact same issue, word for word, and also followed the exact same blog you referenced. Did you have any more lead on this?

[northerndev]

@ricosega I am running into an issue where secrets do not get uploaded to ingressgateway, so when filters are attempted to be pushed to ingressgateway I get error below (the filter is getting rejected by ingressgateway/envoy proxy):

"listener(s) 0.0.0.0_8080: paths must refer to an existing path in the system: '/etc/istio/config/oauth2/token-secret.yaml' does not exist"

It looks to me like the config/map secrets should be getting pushed to ingressgateway/envoy proxy as static secret resources - but are not.

Any thought/ideas why that might not be working much appreciated.

Thanks

[sudomann]

It looks to me like the config/map secrets should be getting pushed to ingressgateway/envoy proxy as static secret resources - but are not.

@northerndev I reached the same conclusion and decided to just edit the ingressgateway deployment to mount it myself