search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

Configuration secret isn't DRY and can exceed K8s annotation/secret size limits #132

Closed atoy3731 closed 3 years ago

atoy3731 commented 3 years ago

We utilize authservice behind a lot of different virtual services, however the way the current configuration file exists, we end up needing to create separate chains for every application, even though nearly all the contents are repeated. Here's a redacted version of the configuration file with 2 applications, containing the same values across both:

{
    "listen_address": "0.0.0.0",
    "listen_port": "10003",
    "log_level": "trace",
    "threads": 8,
    "chains": [
        {
            "name": "chain-1",
            "match": {
                "header": ":authority",
                "prefix": "foo.example.com"
            },
            "filters": [
                {
                    "oidc": {
                        "authorization_uri": "https://keycloak.example.com/auth/realms/example-realm/protocol/openid-connect/auth",
                        "token_uri": "https://keycloak.example.com/auth/realms/example-realm/openid-connect/token",
                        "callback_uri": "https://foo.example.com/login",
                        "jwks": "MATCHES-ACROSS-CHAINS",
                        "client_id": "client-id-1",
                        "client_secret": "client-password-1",
                        "scopes": [],
                        "cookie_name_prefix": "foo-cookie-prefix",
                        "id_token": {
                            "preamble": "Bearer",
                            "header": "Authorization"
                        },
                        "access_token": {
                            "header": "JWT"
                        },
                        "logout": {
                            "path": "/logout",
                            "redirect_uri": "https://keycloak.example.com/auth/realms/example-realm/protocol/openid-connect/token/logout"
                        }
                    }
                }
            ]
        },
        {
            "name": "chain-2",
            "match": {
                "header": ":authority",
                "prefix": "bar.example.com"
            },
            "filters": [
                {
                    "oidc": {
                        "authorization_uri": "https://keycloak.example.com/auth/realms/example-realm/protocol/openid-connect/auth",
                        "token_uri": "https://keycloak.example.com/auth/realms/example-realm/openid-connect/token",
                        "callback_uri": "https://bar.example.com/login",
                        "jwks": "MATCHES-ACROSS-CHAINS",
                        "client_id": "client-id-1",
                        "client_secret": "client-password-1",
                        "scopes": [],
                        "cookie_name_prefix": "bar-cookie-prefix",
                        "id_token": {
                            "preamble": "Bearer",
                            "header": "Authorization"
                        },
                        "access_token": {
                            "header": "JWT"
                        },
                        "logout": {
                            "path": "/logout",
                            "redirect_uri": "https://keycloak.example.com/auth/realms/example-realm/protocol/openid-connect/token/logout"
                        }
                    }
                }
            ]
        },
    ]
}

In the above example, given we're using a shared client ID and secret across chains, the only differencing fields are:

If the configuration could be templated out or dynamically generated to make the configuration DRY, short, and as simple as possible, it'd make our use-case infinitely easier.