osm icon indicating copy to clipboard operation
osm copied to clipboard

Published 20 hours ago verified publisher icon openservicemesh

Allow for use of JWT token authorization to workloads in the mesh

Open phillipgibson opened this issue 2 years ago • 7 comments

Please describe the Improvement and/or Feature Request Allow for client JWT token to be used as an authz method to access workloads in the mesh.

Scope (please mark with X where applicable)

  • New Functionality [X]
  • Install [ ]
  • SMI Traffic Access Policy [X]
  • SMI Traffic Specs Policy [ ]
  • SMI Traffic Split Policy [ ]
  • Permissive Traffic Policy [ ]
  • Ingress [ ]
  • Egress [ ]
  • Envoy Control Plane [ ]
  • CLI Tool [ ]
  • Metrics [ ]
  • Certificate Management [X]
  • Sidecar Injection [ ]
  • Logging [ ]
  • Debugging [ ]
  • Tests [ ]
  • CI System [ ]
  • Demo [ ]
  • Project Release [ ]

Possible use cases In a B2B or B2C scenario, a user is authenticated by an IDP that issues an authorization token, that same token can be used from the client side to access workload resources within the mesh.

phillipgibson avatar May 25 '22 17:05 phillipgibson

Note that this is currently possible by integrating with OPA https://github.com/openservicemesh/osm/issues/1874

steeling avatar May 25 '22 20:05 steeling

Do we want to be tied to OPA for enabling this, or have something more native?

phillipgibson avatar May 25 '22 22:05 phillipgibson

Maybe not long term, but getting data on if this unblocks people would be good. I’d be hesitant to prioritize this until we explicitly here that folks can’t use OPA

steeling avatar May 26 '22 13:05 steeling

In my experience, setting up OPA is nontrivial for something that's as commoditized as JWT auth. For OPA, you've got to set up an OPA server, spend time learning Rego, craft policies that are just right, and figure out if the latency of an extra request is acceptable. With envoy's JWT filter, traffic never leaves the sidecar, and we're able to create a simpler abstraction. Just some food for thought

keithmattix avatar May 26 '22 13:05 keithmattix

I do feel that utilizing OPA for this feels heavy, especially if Envoy has the APIs ready for this.

phillipgibson avatar May 26 '22 13:05 phillipgibson

I agree with @keithmattix. I think relying on OPA is fine for an immediate solution to unblock users, but we should be making this a lot easier. I'd say we should prioritize this work in the mid-term and something we should strongly consider for an upcoming release.

trstringer avatar Jun 02 '22 19:06 trstringer

Added default label size/needed. Please consider re-labeling this issue appropriately.

github-actions[bot] avatar Jul 13 '22 00:07 github-actions[bot]

This issue will be closed due to a long period of inactivity. If you would like this issue to remain open then please comment or update.

github-actions[bot] avatar Jan 16 '23 00:01 github-actions[bot]

Issue closed due to inactivity.

github-actions[bot] avatar Jan 24 '23 00:01 github-actions[bot]