Consider supporting client credential flow

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh

Apache License 2.0

217 stars 63 forks source link

Consider supporting client credential flow #84

Open cfryanr opened 4 years ago

cfryanr commented 4 years ago

Shubham Shukla:

Hi, We implemented authservice to be used with keycloak. Combined with istio auth policies, our end user authentication and authorization(using authorization_code grant) works great! We also have the requirement for service to service communication within the mesh(background jobs for example). For this we would need to use either resource owner flow or client credential flow. Does authservice support that? If not, with istio what is the recommended way to go about this?

cfryanr commented 4 years ago

One possible way to support this would be to look for custom headers on the request which would specify the username/password for a password grant flow or the client_id/client_secret for a client credentials grant flow.

Since requests to the ingress are https, these headers would be encrypted, so it seems fairly safe to put secrets in the headers. Any other security concerns that should be considered?

peterhaochen47 commented 4 years ago

The built-in Istio Authorization Policy handles the Service-to-service authZ use case. See this example (https://istio.io/docs/tasks/security/authorization/authz-http/) where they configure rule to make sure "only productpage app can talk to details app."

p53 commented 4 years ago

i would like to use this proxy outside of istio ecosystem...