Open deepu105 opened 2 years ago
I experienced the same issue today. I managed to get authorisation to work I think by editing the gateway virtual service. For some reason looks like calls are being made to /service/api/api so adding the extra api to the virtual service kind of stopped the authorisation issue but I am experiencing other issues where entities are not being returned.
I recall seen this and created this branch https://github.com/jhipster/generator-jhipster/pull/17388, but it needs more testing. The expired token is ignored at the gateway side, but not at the microservice side, creating this infinite loop.
You are too fast Marcelo ❤️ I'll do some tests with your branch and let you know
On Thu, 23 Dec 2021, 12:00 am Marcelo Shima, @.***> wrote:
I recall seen this and created this branch #17388 https://github.com/jhipster/generator-jhipster/pull/17388, but it needs more testing. The expired token is ignored at the gateway side, but not at the microservice side, creating this infinite loop.
— Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/17384#issuecomment-999929515, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIOKFZDD27KEDHOPPBJD7LUSJKAPANCNFSM5KS4ZMBQ . You are receiving this because you authored the thread.Message ID: @.***>
I tested your branch but the looping issue is still present at least with Istio + k8s
The PR was from a previous problem I found. Not actively working on this right now.
no worries
for some more context, normal microservices with reactive gateway works fine with OAuth, its only with Istio there is issue.
This bug isn't fixed at latest version.
The right solution is removing the auth fuction from code .And then add OPA config with Istio.
Ref: https://istio.io/latest/blog/2021/better-external-authz/ https://medium.com/google-cloud/external-authorization-server-with-istio-1159b21682bb
Probably, but the gateway is able to login with OAuth and microservices hence should be able to auth using JWT so maybe configuring OPA for that could work without removing auth
Thanks & Regards, Deepu
On Mon, Jan 24, 2022 at 7:45 AM taoyonggang @.***> wrote:
The right solution is removing the auth fuction from code .And then add OPA config with Istio.
Ref: https://istio.io/latest/blog/2021/better-external-authz/
https://medium.com/google-cloud/external-authorization-server-with-istio-1159b21682bb
— Reply to this email directly, view it on GitHub https://github.com/jhipster/generator-jhipster/issues/17384#issuecomment-1019650286, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAIOKF3BIZATGI6GGZI4VKTUXSY5LANCNFSM5KS4ZMBQ . You are receiving this because you authored the thread.Message ID: @.***>
@taoyonggang Can you provide a PR?
Hey @xetys could use some of your expertise here if you have time
I wasted one full day before landing here !
@ohmex do share what you learned. Maybe I missed something during my debugging
When creating a microservice stack with Oauth2 auth and deploying to istio on GKE, authentication to microservices ends up in an infinite loop. The gateway application and authentication for that works, but if you try to access an API provided by one of the microservice it will go on a loop. I was trying to get my standard e-commerce ms stack working with Keycloak and Okta and ended up here. Still trying to figure out whats going on. I don't see any authorization headers being passed around. But I don't see those headers for gateway APIs as well, for example the customer endpoint served by store. I'm not sure if its an Istio issue though, probably how auth is setup on JH app side.
I'll get back to debugging it after holidays, so in the meantime if anyone wants to give it a shot please go ahead
Sample JDL