'Questions about istio external authorization

Problem statement:

My goal is to have istio with external authorization service (ideally HTTP, if not possible than GRPC would do as well). There is a requirement to be able to control what exact status code will be returned to client on authorization service. The latter requirement is the most problematic part.

My research

  • I have read istio documentation on external authorizer

  • I have made a prototype with HTTP Auth service, but whatever non 200 status code I return from Auth Service the client always receives 403 Forbidden

  • In mesh config specification I see the only possibility to set statusOnError but it will be used only in case auth service is unreachable and it can not be dynamically changed.

  • Also in envoy documentation for GRPC service I see possibility to set custom status

    HTTP attributes for a denied response.
{
   "status": "{...}",
   "headers": [],
   "body": "..."
 }

Questions:

  1. Is having custom status possible only with GRPC auth service?
  2. Is istio using envoy API-V3 or API-V2?
  3. Any suggestion how to cook istio with external authorizer and custin status codes?
kubernetesauthorizationistioenvoyproxy


Solution 1:[1]

I made the GRPC Auth service prototype and found the answer. It is counter-intuitive but GRPC external auth service is really more flexible than HTTP one. And it really allows to set arbitrary status code

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ivan

Related Questions

enable Apache http Authorization header

Blazor @attribute [Authorize] tag is not working

Prevent database access outside the application

Authorisation in microservices - how to approach domain object or entity level access control using ACL?

Authorization in ASP.NET Core. Always 401 Unauthorized for [Authorize] attribute

Sonarqube authorization - how to authorize with sonar-maven-plugin when sonar.forceAuthentication is enabled

How to set token in authorization header in flutter Dio post request

Subscription-scope authorization for Azure Resource Manager API user

Does an OAuth Consumer validate a bearer token with the OAuth provider on each request

Https twice on my redirect_uri shopify when trying to authorize my application

Is there a way to Redirect in AuthorizationHandler in .Net 5?

Set default header for every fetch() request

ahrefs.com authorization using python requests

nestjs return undefined in Public Guards

ASP.NET 5 Authorize against two or more policies (OR-combined policy)