Skip to content
/ authservice Public
forked from istio-ecosystem/authservice

Move OIDC token acquisition out of your app code and into the Istio mesh

License

Apache-2.0 license
0 stars 62 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pewpewp3w/authservice

BranchesTags
 
 

Repository files navigation

authservice Actions Status

An implementation of Envoy External Authorization, focused on delivering authN/Z solutions for Istio and Kubernetes.

Introduction

authservice helps delegate the OIDC Authorization Code Grant Flow to the Istio mesh. authservice is compatible with any standard OIDC Provider as well as other Istio End-user Auth features, including Authentication Policy and RBAC. Together, they allow developers to protect their APIs and web apps without any application code required.

Some of the features it provides:

  • Transparent login and logout
    • Retrieves OAuth2 Access tokens, ID tokens, and refresh tokens
  • Fine-grained control over which url paths are protected
  • Session management
    • Configuration of session lifetime and idle timeouts
    • Refreshes expired tokens automatically
  • Compatible with any standard OIDC Provider
  • Supports multiple OIDC Providers for same application
  • Trusts custom CA certs when talking to OIDC Providers
  • Works either at the sidecar or gateway level

Using the authservice docker image

The authservice images are hosted on authservice's GitHub Package Registry.

Usage

Please refer to the bookinfo-example directory for an example of how to use the Authservice.

Refer to the configuration options guide for all of the available configuration options.

How does authservice work?

We have created a flowchart to explain how authservice makes decisions at different points in the login lifecycle.

Developer Notes

See the Makefile for common tasks.

If you are developing on a Mac, this setup guide may be helpful.

To build authservice with Clang, first setup the clang.bazelrc and then build the authservice with --config=clang option with bazel.

./bazel/setup_clang.sh <path-to-clang>
bazel build //src/main:all  --config clang

To Build with FIPS compliant version, add --define boringssl=fips.

bazel build //src/main:all  --config clang --define boringssl=fips

To build with a containeried environment, with customized bazel arguments.

export CONTAINER_REGISTRY=gcr.io/your-project
docker build --build-arg bazel_flags="--config=clang" \
  -t ${CONTAINER_REGISTRY}/authservice:latest \
  -f ./build/Dockerfile.build .

Roadmap

See the authservice github Project

Additional features being considered:

  • A more Istio-integrated experience of deploying/configuring/enabling authservice (e.g.: extending Istio Authentication Policy to include authservice configs).

Contributing & Contact

We welcome feedback and contributions. Aside from submitting Github issues/PRs, you can reach out at #oidc-proposal or #security channel on Istio’s Slack workspace (here's how to join).

About

Move OIDC token acquisition out of your app code and into the Istio mesh

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

8 tags

Packages

No packages published

Languages

  • C++ 91.9%
  • Starlark 6.5%
  • Other 1.6%