bruegth
commented
4 years ago Would be good to have path prefix matching like /idp1/apiX, /idp2/apiY
Open cfryanr opened 4 years ago
bruegth
commented
4 years ago Would be good to have path prefix matching like /idp1/apiX, /idp2/apiY
cfryanr
commented
4 years ago Does Envoy set the path as an HTTP header on the request?
If so, you could use the path matching feature of the chain in your authservice config to choose which IDP the request should go to. Just make sure that the callback request will be matched back to the same chain because the server-side Authservice user sessions are effectively namespaced per chain.
(cc @bruegth)
bruegth
commented
4 years ago @cfryanr For that I will set the Header as needed for this.
Off-topic: Currently I use Envoy together with https://github.com/louketo/louketo-proxy because I need an AuthService for production enviroment. Can you estimate when this project become "production-ready"?
cfryanr
commented
4 years ago Hi @bruegth, personally, before using this in production, I would want sessions to be stored in a central place. That is issue #70. We've just started working on this.
Otherwise, it should be "production ready". Known limitations are already filed as github issues.
We would love to hear about your experiences trying it out. You can communicate with us here in the github issues or in the #oidc-proposal channel on istio.slack.com.
Today you can only choose between OIDC filters using request header matching. We could also support path-based matching (or hostname matching?), so when the Authservice is applied to the gateway you could support multiple apps in the cluster that want to use different OIDC Providers.