contour
contour copied to clipboard
projectcontour
Epic: Oauth2 integration
As part of the larger work around enabling authentication in Contour, https://github.com/projectcontour/contour/issues/2459, we need to built an authorization server for Envoy to support OIDC
On Jul 9, 2020, at 4:07 AM, Steve Sloka [email protected] wrote:
Yep I’m aware of that one. But if we do external auth (which is needed IMHO), that can do OIDC. Adding a second direct OIDC API would be a big addition to the API surface area and not enable any new functionality.
also https://github.com/ajmyyra/ambassador-auth-oidc and https://medium.com/@robert.broeckelmann/when-to-use-which-oauth2-grants-and-oidc-flows-ec6a5c00d864
Hey I'm trying to add OIDC based workflows with Contour. I was primarily looking at oauth-proxy, blog post on using oauth-proxy with NGINX.
The primary usecase is to use Contour as a lightweight replacement for Istio with Knative Serving, KF Serving to be precise. I believe oauth-proxy adds options in terms of using GitHub, Google and other popular identity providers in addition to generic OIDC providers.
We're using https://github.com/ajmyyra/ambassador-auth-oidc + Dex (as th OIDC provider) in front of Istio IngressGateway in Kubeflow (KF Serving) currently.
FYI this is possible to implement with the new external authorization server API in 1.9. You can use the Istio authservice for inspiration: https://github.com/istio-ecosystem/authservice. They put together a pretty cool flow chart here. The key is to return HTTP redirects to the client.
We discussed this in a community meeting today.
Up until now, we have been directing people towards external authentication as a way to implement OIDC. However, as @xaleeks has mentioned on a few calls, having to install a separate controller for such a common use case is not ideal, particularly when the functionality can be accomplished using an inbuilt Envoy filter (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/oauth2/v3/oauth.proto).
So, this update is to say that Contour is committing to implementing the inbuilt OAuth filter in Envoy at some point. To begin with, we will need a design for how to implement the filter, including where the configuration lives, what exactly needs to be configured, what testing we'll need, and so on. This should occur within the 1.20 timeframe.
After that, the next step is implementation. Depending on how long the design takes, this may make it into Contour 1.20.
Once the implementation is complete, we will close out #4044, #4045 by doing a manual test of those providers, preferably with some guides as to how to set them up.
We discussed this in a community meeting today.
Up until now, we have been directing people towards external authentication as a way to implement OIDC. However, as @xaleeks has mentioned on a few calls, having to install a separate controller for such a common use case is not ideal, particularly when the functionality can be accomplished using an inbuilt Envoy filter (https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/oauth2/v3/oauth.proto).
So, this update is to say that Contour is committing to implementing the inbuilt OAuth filter in Envoy at some point. To begin with, we will need a design for how to implement the filter, including where the configuration lives, what exactly needs to be configured, what testing we'll need, and so on. This should occur within the 1.20 timeframe.
After that, the next step is implementation. Depending on how long the design takes, this may make it into Contour 1.20.
Once the implementation is complete, we will close out #4044, #4045 by doing a manual test of those providers, preferably with some guides as to how to set them up.
I have a reference config for oauth2, see if this helps. https://github.com/projectcontour/contour/issues/3185#issuecomment-816725397
@youngnick any update on this one? For the time being, are you aware of any Envoy-external-authorization compatible component that could be used for OAuth, so I could use Contour?
The only thing I could find was in oauth2-proxy, but upstream turned down the proposal: https://github.com/oauth2-proxy/oauth2-proxy/issues/958#issuecomment-932103074
Edit, ah I see, there's https://github.com/projectcontour/contour-authserver, which seems to have some support for OIDC.
Hi @flokli, the current update is that I'm still working on the design, sorry. I'm trying to get a working configuration first so that I can validate what I have in mind will actually work, but in order to do that, I'm having to PoC out the whole filter and its config. It's taking a lot longer than I would have liked.
The user experience on the filter is not amazing either - if anything at all goes wrong, Envoy will tell you very little, which means that we'll also need to work on:
- upstreaming some UX improvements
- really good validation to help people not miss things.
Again, I'm really sorry about the delays, making a design has turned out harder than I thought.
@youngnick any update on this one? For the time being, are you aware of any Envoy-external-authorization compatible component that could be used for OAuth, so I could use Contour?
The only thing I could find was in oauth2-proxy, but upstream turned down the proposal: oauth2-proxy/oauth2-proxy#958 (comment)
Edit, ah I see, there's https://github.com/projectcontour/contour-authserver, which seems to have some support for OIDC.
Authorino can also be used as an Envoy authorisation server but that also needs the OAuth filter to ensure that the request has the bearer token before the authorisation call.
@youngnick Happy to help review or test once you have a design.
I wonder Contour would consider copying what Istio.io did by providing an EnvoyFilter CRD that allows us to use any of the envoy http filters with the gateway proxy. Here's an example of using it with the oauth2 filter: https://szczeles.github.io/OAuth2-based-authentication-on-Istio-powered-Kubernetes-clusters/
Envoy Proxy is working on their own Gateway implementation with support for the OAuth2 filter, but they're implementing it as an Oauth CRD instead. I prefer Istio's approach because it allows us to define whatever we want.
Could any one please let me know when would be the oauth2 integration for contour will get released?
This would be really great! It's currently one of the blocking points to rollout contour. Is there any work item that one could start working on? Or is the general architecture still pending?
This would be really great! It's currently one of the blocking points to rollout contour. Is there any work item that one could start working on? Or is the general architecture still pending?
@davidgiga1993 this is still in need of a design in order to move forward. If you're interested in working on that, let us know. You can see other design docs here.
