Combine OIDC and external auth security policies

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway

https://gateway.envoyproxy.io

Apache License 2.0

1.63k stars 353 forks source link

Combine OIDC and external auth security policies #4275

Closed chessman closed 1 month ago

chessman commented 2 months ago

Description: I'm trying to combine OIDC and external auth security polices. The idea is to perform a check using an external service for a forwarded Authorization header received in the OAuth2 authentication.

I followed both guides: https://gateway.envoyproxy.io/docs/tasks/security/oidc/ https://gateway.envoyproxy.io/docs/tasks/security/ext-auth/

They work separately, but when I enable both, the external auth takes precedence, resulting in a 403 error. Is it possible to change the order in which the policies are applied?

arkodg commented 2 months ago

@chessman you should be able to do this using the filterOrder feature https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#customize-filter-order

chessman commented 2 months ago

@arkodg Thanks for the hint. It started to work with a changed order but there are issues:

Both policies should have the same target, it doesn't work when one policy targets Gateway and another targets HTTPRoute.
headersToBackend is ignored when OAuth2 filter is enabled before External Authorization.
The configuration stops working if the OAuth2 filter is recreated (kubectl delete/apply). It is needed to recreated the ext_authz filter to make it work again.

This is what I did: https://gist.github.com/chessman/800b328c484f5ea9ff260537ec8a9ebb

arkodg commented 1 month ago

cc @zhaohuabing

zhaohuabing commented 1 month ago

Both policies should have the same target, it doesn't work when one policy targets Gateway and another targets HTTPRoute.

@chessman One Gateway/HTTPRoue can only be associated with one xPolciy. If multiple xPolicies of the same type target one Gateway/HTTPRoute, the one with earlier creation time will be applied.

Could you please try it again with a single SP?

Hint: when EG behaviors doesn't meet expectations, status of EG CRs can be very helpful.

status:
  ancestors:
  - ancestorRef:
      group: gateway.networking.k8s.io
      kind: Gateway
      name: eg
      namespace: default
    conditions:
    - lastTransitionTime: "2024-10-09T05:31:44Z"
      message: Unable to target Gateway, another SecurityPolicy has already attached
        to it
      observedGeneration: 1
      reason: Conflicted
      status: "False"
      type: Accepted
    controllerName: gateway.envoyproxy.io/gatewayclass-controller

chessman commented 1 month ago

@zhaohuabing You are right, I've just tested it, only one security policy can be attached. Isn't it a substantial limitation? Combining authentication and authorization might not be a widely used use case but what about CORS and auth?

zhaohuabing commented 1 month ago

@zhaohuabing You are right, I've just tested it, only one security policy can be attached. Isn't it a substantial limitation? Combining authentication and authorization might not be a widely used use case but what about CORS and auth?

Can't you include these settings in one SP?

chessman commented 1 month ago

@zhaohuabing oh, I didn't realize that it is possible. I tried and now everything works. Thank you!