An implementation of Envoy External Authorization, focused on delivering authN/Z solutions for Istio and Kubernetes.

authservice helps delegate the OIDC Authorization Code Grant Flow to the Istio mesh. authservice is compatible with any standard OIDC Provider as well as other Istio End-user Auth features, including Authentication Policy and RBAC. Together, they allow developers to protect their APIs and web apps without any application code required.

The authservice images are hosted on authservice's GitHub Package Registry. NOTE: Github Package Registry currently does NOT work with Kubernetes. This issue is expected to be fixed and released soon. For the time being, you need to manually docker pull the image from Github Package Registry and docker push it to your own image registry (e.g. Docker Hub) in order to use it with Kubernetes.

Please refer to the bookinfo-example directory for an example integration.

See the Makefile for common tasks.

See the authservice github Project

Features not yet implemented:

• Token renewal via refresh token.
• Start new flow to fetch new tokens when either the ID token or the access token has expired.
• Support multiple IDPs for the same app.
• Support adding ext_authz filter and using the authservice on the Istio ingress gateway.

Additional features being considered:

• A more Istio-integrated experience of deploying/configuring/enabling authservice (e.g.: extending Istio Authentication Policy to include authservice configs).

We welcome feedback and contributions. Aside from submitting Github issues/PRs, you can reach out at #oidc-proposal or #security channel on Istio’s Slack workspace (here's how to join).