istio icon indicating copy to clipboard operation
istio copied to clipboard
verified publisher icon istio

Add custom headers on invalid token

Open A923357 opened this issue 1 year ago • 10 comments

Hi everyone,

I'm currently working on implementing an OAuth solution that integrates KServe, Kubeflow, and Keycloak. However, I've encountered an issue where providing an invalid token results in a 302 redirect instead of the expected 4XX error response.

To address this, I attempted to modify and add EnvoyFilters with the goal of intercepting the redirect and injecting a custom header to filter the error. Unfortunately, these efforts did not produce the desired outcome.

My specific question is: Is there a way to add a custom header to the 302 redirect response specifically for KServe predict requests, differentiating them from login redirects originating from the Kubeflow GUI?

Any guidance, suggestions, or examples on how to achieve this would be greatly appreciated.

Thank you!

Best regards

A923357 avatar Oct 17 '24 09:10 A923357

DirectResponse support customizeing the response body now, but not header. Can you make use of that body?

hzxuzhonghu avatar Oct 18 '24 03:10 hzxuzhonghu

another choice is make DirectResponse support custom headers.

zirain avatar Oct 18 '24 03:10 zirain

I think this because envoy does not support it

hzxuzhonghu avatar Oct 18 '24 04:10 hzxuzhonghu

Taking this one as a first contribution, if that's okay. /assign

sachinkumarsingh092 avatar Oct 18 '24 11:10 sachinkumarsingh092

Taking this one as a first contribution, if that's okay. /assign

this will need you change things in Envoy first, then in Istio.

zirain avatar Oct 18 '24 11:10 zirain

Okay. I'm taking a look at the envoy project and will post a plan here soon. It'll be great if I get a +1 on that to proceed. Thanks :)

sachinkumarsingh092 avatar Oct 18 '24 11:10 sachinkumarsingh092

Made an issue for triaging in envoy: https://github.com/envoyproxy/envoy/issues/36696

sachinkumarsingh092 avatar Oct 18 '24 12:10 sachinkumarsingh092 

// Specifies the content of the response body. If this setting is omitted,
// no body is included in the generated response.
//
// .. note::
//
//	Headers can be specified using ``response_headers_to_add`` in the enclosing
//	:ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or
//	:ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`.

looks like it's already supportted.

zirain avatar Oct 18 '24 12:10 zirain

Oh thanks. That makes it easy. I'll comment and close the ticket to reduce noise.

sachinkumarsingh092 avatar Oct 18 '24 12:10 sachinkumarsingh092 

apiVersion: networking.istio.io/v1
kind: Gateway
metadata:
  name: httpbin-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 80
        name: http
        protocol: HTTP
      hosts:
        - "*"
---
apiVersion: networking.istio.io/v1
kind: VirtualService
metadata:
  name: httpbin
spec:
  hosts:
    - "*"
  gateways:
    - httpbin-gateway
  http:
    - match:
        - uri:
            prefix: /get
      headers:
        response:
          set:
            key1: val1
      directResponse:
        status: 200
        body:
          string: "this's a direct response\n"
    - route:
        - destination:
            host: httpbin
            port:
              number: 8000

DirectResponse worked as expected, but I'm thinking this isn't what you want? You want a way to custom resposne when ext_authz return 400/4xx?

will Custom Response help?

zirain avatar Oct 18 '24 13:10 zirain

I think we can close this now? @A923357

sachinkumarsingh092 avatar Nov 02 '24 20:11 sachinkumarsingh092