Skip to main content
logoIstio AuthserviceVersion: Next


The Istio Authservice can be used as an Istio External Authorization service. Configuring Istio to use the authservice requires the following:

  • Mounting the OIDC Configuration file in the authservice pod.
  • Defining an Extension Provider pointing to the authservice Kubernetes service.
  • Configuring an Istio AuthorizationPolicy to intercept traffic and forward it to the defined extension provider.
  1. Mounting the OIDC configuration

    The authservice expects the configuration file to be in: /etc/authservice/config.json. You can customize this by setting the --config-path startup flag in the authservice deployment, but the examples in this documentation site will assume the default location.

    To configure authservice, simply define a Kubernetes ConfigMap that provides the configuration file, like in the example below:

    kind: ConfigMap
    apiVersion: v1
    name: authservice-config
    namespace: authservice
    config.json: |
    "listen_address": "",
    "listen_port": "10003",
    "log_level": "debug",
    "allow_unmatched_requests": false,
    "chains": [
    "name": "keycloak",
    "filters": [
    <OIDC config options>

    Refer to the OIDC Configuration Guide for a detailed list of the available OIDC configuration options.

  2. Custom extension provider

    Once the authservice is up & running with the desired configuration, Istio needs to be configured to intercept traffic and forward it to the authservice. This can be done as explained below:

    First an the extension provider that points to where the authservice is deployed needs to be defined, as explained in the Istio External Authorization configuration Guide.

    The following example shows an example configuration that can be used in the values.yaml when configuring Istio with Helm:

    # Configure the backend for the Auth Service provider that can be used in AuthorizationPolicies
    # in CUSTOM mode.
    - name: authservice-grpc
    service: "authservice.authservice.svc.cluster.local" # K8s service for the authservice
    port: "10003" # authservice default gRPC port
  3. Authz enforcement

    Once the custom authorization service has been defined, an AuthorizationPolicy needs to be created to intercept traffic and forward it to the authservice for an access decision. This can be done by creating an AuthorizationPolicy with a CUSTOM action as follows:

    kind: AuthorizationPolicy
    name: authservice
    # Namespace where the policy will be applied. If this is the istio root namespace (istio-system) the
    # policy will apply to all workloads. Otherwise it will only apply to the services in the defined namespace.
    namespace: myapp-namespace
    # Action CUSTOM to delegate the access decision to the configured extension provider.
    action: CUSTOM
    # Name defined in the extensionProviders property in the MeshConfig
    # (the `istio` ConfigMap in the istio-system namespace)
    name: authservice-grpc
    # A single empty rule will force all requests to be forwarded to the external
    # authorization backend, as long as the workload is captured by the selectors
    # configured above.
    - {}