Istio AuthserviceVersion: NextOIDC Overview
The Istio Authservice is configured in a JSON file, located by default at /etc/authservice/config.json. You can customize this
by setting the --config-path startup flag in the authservice deployment, but the examples in this documentation site
will assume the default location.
The full reference or the config file can be found directly in the configuration protobuf definitions.
Complete example
This is a complete example of a simple OIDC configuration showing most of the common options. This can be used as a starting point to build custom OIDC configurations:
{
"listen_address": "0.0.0.0",
"listen_port": 10003,
"log_level": "debug",
"chains": [
{
"name": "keycloak",
"filters": [
{
"oidc": {
"configuration_uri": "https://example.com:9443/realms/master/.well-known/openid-configuration",
"proxy_uri": "http://idp-proxy:9000",
"callback_uri": "https://example.com:8443/callback",
"client_id": "authservice",
"client_secret": "authservice-secret",
"cookie_name_prefix": "authservice",
"jwks_fetcher": {
"jwks_uri": "https://example.com:9443/realms/master/protocol/openid-connect/certs",
"skip_verify_peer_cert": "true"
},
"id_token": {
"preamble": "Bearer",
"header": "authorization"
},
"access_token": {
"header": "x-access-token"
},
"logout": {
"path": "/logout",
"redirect_uri": "https://example.com:9443/realms/master/protocol/openid-connect/logout"
},
"redis_session_store_config": {
"server_uri": "redis://redis:6379"
},
"trusted_certificate_authority_file": "/etc/authservice/certs/ca.crt",
"trusted_certificate_authority_refresh_interval": "60.25s"
}
}
]
}
]
}
Global config options
The following main global configuration options are available:
| Property | Description |
|---|---|
listen_address | Address to bind |
listen_port | Port where the Envoy ext-authz API is exposed |
log_level | Log level to use. When just the value is provided (info, debug, etc.), it will configure logging globally. Individual loggers can be configured in a comma-separated string by prefixing the log level with the logger name and. E.g. oidc:debug,config:debug |
Identity Provider configuration
There are different options to configure the Identity Provider integration. The main options are:
- Dynamic adn static Identity Provider URL configuration.
- Custom JWK token refresher configuration.
- Client credentials configuration inline or in Kubernetes secrets.
The following sections show examples of the main different options:
URL configuration
- Dynamic configuration
- Static configuration
| Property | Description |
|---|---|
configuration_uri | URL of the OIDC well-known endpoint |
callback_uri | Value used as the redirect_uri param of the authorization code grant Authentication Request |
"oidc": {
"configuration_uri": "https://example.com:9443/realms/master/.well-known/openid-configuration",
"callback_uri": "https://example.com:8443/callback",
(...)
}
| Property | Description |
|---|---|
authorization_uri | OIDC Provider's authorization endpoint |
token_uri | OIDC Provider's token endpoint |
jwks_uri | URL to get the JSON Web Keys used to validate the identity Provider tokens |
callback_uri | Value used as the redirect_uri param of the authorization code grant Authentication Request |
"oidc": {
"authorization_uri": "https://example.com:9443/realms/master/protocol/openid-connect/auth",
"token_uri": "https://example.com:9443/realms/master/protocol/openid-connect/token",
"jwks_fetcher": {
"jwks_uri": "https://example.com:9443/realms/master/protocol/openid-connect/certs",
},
"callback_uri": "https://myapp:8443/callback",
(...)
}
JWK token refresher
By default, the authservice will watch the JWKS URI for changes and update automatically when the signing
keys are updated. The following configuration options can be used to customize the JWKS refresh process:
| Property | Description |
|---|---|
jwks_uri | URL to get the JSON Web Keys used to validate the identity Provider tokens |
periodic_fetch_interval_sec | Polling interval in seconds for the JWKS document |
skip_verify_peer_cert | Skip the certificate verification for the JWKS endpoint |
"oidc": {
"jwks_fetcher": {
"jwks_uri": "https://example.com:9443/realms/master/protocol/openid-connect/certs",
"periodic_fetch_interval_sec": 1200,
"skip_verify_peer_cert": false
},
(...)
}
Client credentials
Client credentials can be configured inline or loaded from a Kubernetes secret.
- Kubernetes secret
- Inline
| Property | Description |
|---|---|
client_id | The OIDC Client ID to use |
client_secret_ref | Kubernetes namespace and name of the Secret containing the OIDC Client Secret. |
"oidc": {
"client_id": "authservice",
"client_secret_ref": {
"namespace": "authservice",
"name": "client-secret"
},
(...)
}
| Property | Description |
|---|---|
client_id | The OIDC Client ID to use |
client_secret | The OIDC Client Secret to use |
"oidc": {
"client_id": "authservice",
"client_secret": "Z22A1NVpMWfRNfwP7v7FKfXAshN4Zf0u"
(...)
}
Session store configuration
By default session information is stored in-memory, but it is possible to configure a Redis backend to store the session information. This is convenient when scaling hte authservice horizontally, to have all replicas see the proper session status.
To enable the Redis session store, simply add the following configuration to the OIDC settings:
| Property | Description |
|---|---|
server_uri | URL of the Redis service to use to store sessions |
client_secret_ref | Kubernetes namespace and name of the Secret containing the OIDC Client Secret. |
"oidc": {
"redis_session_store_config": {
"server_uri": "redis://redis:6379"
},
(...)
}