Basic authentication

[tesujis...@gmail.com]

Together with some colleagues I've been trying to get some basic authentication to work with Envoy. It seems we're almost there, but can't quite get it to work. We have a very simple service in Python listening on port 4040, another auth service in Python on port 4041, and Envoy on port 80.

When I configure these, I get the proper responses when we don't pass as username/password and I get "Basic XXX not authenticated" for a user with wrong password. But if I pass the correct username/password,  it looks like my request is being handled by the auth-service rather than being forwarded to the 'simple' service on port 4040, returning a 404 with some HTML output.

When I remove the envoy.ext_authz config section from http_filters, my requests are forwarded to the simple service at 4040 just fine.

Does anyone know of any documentation how to set up authentication for Envoy? Searching online seems to give us very little. The official Envoy page hardly has anything on authentication. Any help or pointers will be greatly appreciated.

    Mark Boon - VMware

(Below my YAML in case anyone sees a glaring mistake by any chance. Suspect seems that we can put anything after "uri" for the http_service and it doesn't change anything.)

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 80
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager
          codec_type: auto          access_log:
            name: envoy.file_access_log
            typed_config:
              "@type": type.googleapis.com/envoy.config.accesslog.v2.FileAccessLog
              path: /usr/envoy/logs/access_log.txt          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: service
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/service"
                route:
                  cluster: local_service
          http_filters:
          - name: envoy.ext_authz
            config:
              http_service:
                server_uri:
                  uri: authz:4041
                  cluster: ext-authz
                  timeout: 0.25s
                allowed_request_headers:
                  - Authorization          - name: envoy.router
            typed_config: {}
  clusters:
  - name: ext-authz
    connect_timeout: 0.25s
    type: static
    lb_policy: round_robin
    hosts:
    - socket_address:
        address: 127.0.0.1
        port_value: 4041  - name: local_service
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    load_assignment:
      cluster_name: local_service
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 4040
admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8082

[Amit Chaudhary]

There is a JWT token filter in envoy for jwt authentication...otherwise write your own oidc filter

[lu lu]

Is there any oidc filter can be referenced? Thanks!