An implementation of Envoy External Authorization, focused on delivering authN/Z solutions for Istio and Kubernetes.
authservice helps delegate the OIDC Authorization Code Grant Flow
to the Istio mesh. authservice is compatible with any standard OIDC Provider as well as other Istio End-user Auth features,
including Authentication Policy and RBAC.
Together, they allow developers to protect their APIs and web apps without any application code required.
Some of the features it provides:
- Transparent login and logout
- Retrieves OAuth2 Access tokens, ID tokens, and refresh tokens
- Fine-grained control over which url paths are protected
- Session management
- Configuration of session lifetime and idle timeouts
- Refreshes expired tokens automatically
- Compatible with any standard OIDC Provider
- Supports multiple OIDC Providers for same application
- Trusts custom CA certs when talking to OIDC Providers
- Works either at the sidecar or gateway level
The authservice images are hosted on authservice's GitHub Package Registry.
Please refer to the bookinfo-example directory for an example of how to use the Authservice.
Refer to the configuration options guide for all of the available configuration options.
We have created a flowchart to explain how authservice makes decisions at different points in the login lifecycle.
To get started:
See the authservice github Project
Additional features being considered:
- A more Istio-integrated experience of deploying/configuring/enabling
authservice(e.g.: extending Istio Authentication Policy to includeauthserviceconfigs).
We welcome feedback and contributions. Aside from submitting Github issues/PRs, you can reach out at #oidc-proposal
or #security channel on Istio’s Slack workspace
(here's how to join).