search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
217 stars 63 forks source link

internal keycloak with ingress, denied with no option to log in #158

Closed perezjasonr closed 3 years ago

perezjasonr commented 3 years ago

having a really difficult time following the docs for a standalone authservice deployment (the non sidecar method). instead of google im trying to use keycloak.

I'm basically using the templates here:

https://github.com/istio-ecosystem/authservice/tree/master/bookinfo-example/authservice/templates

but using keycloak values, so for the configmap

{
      "listen_address": "127.0.0.1",
      "listen_port": "10003",
      "log_level": "trace",
      "threads": 8,
      "chains": [
        {
          "name": "idp_filter_chain",
          "filters": [
          {
            "oidc":
              {
                "authorization_uri": "https://keycloak.domain.com/auth/realms/myrealm/protocol/openid-connect/auth",
                "token_uri": "https://keycloak.domain.com/auth/realms/myrealm/protocol/openid-connect/token",
                "callback_uri": "https://bookinfo.domain.com/productpage/oauth/callback",
                "jwks": "<the value is taken from keycloak endpoint that provides this>",
                "client_id": "bookinfo",
                "client_secret": "<some secret we set>",
                "trusted_certificate_authority": "<ca taken from keycloak>",
                "scopes": [],
                "cookie_name_prefix": "productpage",
                "id_token": {
                  "preamble": "Bearer",
                  "header": "Authorization"
                },
                "logout": {
                  "path": "/authservice_logout",
                  "redirect_uri": "https://keycloak.domain.com/auth/realms/myrealm/protocol/openid-connect/token/logout"
                }
              }
            }
          ]
        }
      ]
    }

but all this gets me is: RBAC: access denied

I can't figure out what could be missing and I can't find it in the docs. I noticed serviceEntry is conditional, seems to only be if "productpage" is set but im trying to do ingress.

I heard others getting this RBAC problem, but they were using istio 1.10, but were on 1.9 so i thought it wouldn't apply here (perhaps I understood it wrong and you need to be 1.10 to get past this???) is there something else authservice needs for this to work? i think many others will go down this same path.

thank you.

perezjasonr commented 3 years ago

ok i found a small mistake, the extension provider had a typo in my istio operator yaml which didnt match up with auth policy, once i fixed that, i get:

Access to bookinfo.domain.com/productpage was denied

I have the same gateway/vs/destinationrule in the example but instead of "*" hosts I put bookinfo.domain.com for hosts.

is this not possible via the ingress route unless we edit the ingress gateway to have authservice container running in it? my impression from the docs was that this was just sort of a performance improvement but not required.

and as mentioned above, i didnt make a service entry (seems to only be if you want the sidecar route, which i dont want).

and i dont see envoyfilter mentioned in the docs so I presume we don't have to have that either?

once authservice is deployed i cant reach keycloak anymore either (same error), im wondering if the google example works because its outside k8s, and wondering if authservice is trying to reach keycloak and getting locked out somehow. or perhaps istio is tryna reach authservice and getting locked out. if this is the case is there any info on trying to use authservice/istio/keycloak where keycloak resides inside k8s?

with the configmap above i expected it to try to take me to keycloak login, not just "denied", im not sure what I'm missing here.

perezjasonr commented 3 years ago

after continuing to troubleshoot and reviewing I'm starting to think the ingress route (meaning, non application sidecar, and non sidecar w/ ingressgateway) is only doable with istio 1.10, if we could confirm that it would be appreciated.

perezjasonr commented 3 years ago

i think i figured out what it was, the filter/chain was too broad so it was locking me out of stuff i didnt intend to for my POC setup. Now I'm having issues with the trusted cert field, but thats a separate issue so closing this.