An implementation of Envoy External Authorization, focused on delivering authN/Z solutions for Istio and Kubernetes.
authservice
helps delegate the OIDC Authorization Code Grant Flow
to the Istio mesh. authservice
is compatible with any standard OIDC Provider as well as other Istio End-user Auth features,
including Authentication Policy and RBAC.
Together, they allow developers to protect their APIs and web apps without any application code required.
The authservice
images are hosted on authservice's GitHub Package Registry.
NOTE: Github Package Registry currently does NOT work with Kubernetes. This issue
is expected to be fixed and released soon. For the time being, you need to manually docker pull
the image from Github Package Registry
and docker push
it to your own image registry (e.g. Docker Hub) in order to use it with Kubernetes.
Please refer to the bookinfo-example directory for an example integration.
See the Makefile for common tasks.
See the authservice github Project
Features not yet implemented:
- Token renewal via refresh token.
- Start new flow to fetch new tokens when either the ID token or the access token has expired.
- Support multiple IDPs for the same app.
- Support adding ext_authz filter and using the
authservice
on the Istio ingress gateway.
Additional features being considered:
- A more Istio-integrated experience of deploying/configuring/enabling
authservice
(e.g.: extending Istio Authentication Policy to includeauthservice
configs).
We welcome feedback and contributions. Aside from submitting Github issues/PRs, you can reach out at #oidc-proposal
or #security
channel on Istio’s Slack workspace
(here's how to join).