Skip to content

A WASM plugin for Envoy supporting the Open ID Connect Authorization Flow, extending Istio's JWT functionality

License

Notifications You must be signed in to change notification settings

dgn/oidc-filter

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

oidc-filter

oidc-filter is a Wasm plugin for Envoy/Istio that will redirect users to a given authentication URI if they do not present a JWT token.

Features

  • Automatically redirect users with no active session to an OpenID Connect Authorization Server for authorization
  • Stores JWT in cookie and transparently writes it to Authorization header for every request

How do I use this thing?

Check out the examples/ directory.

Limitations

  • oidc-filter doesn't verify the JWTs yet (but Istio does that)
  • If the token has expired, AJAX calls with methods other than GET will fail on first attempt (but then succeed afterwards)
  • Not using state or nonce yet (so susceptible to replay attacks)

Development

  • Running make in the root of the repository will build plugin.wasm
  • Running make image will build a container image compatible with OpenShift Service Mesh 2.0+ and Istio 1.12+
  • See the examples/ directory for how to test your changes

TODO

  • Add option to replay POST requests after redirects (so that redirected AJAX calls don't fail)
    • Not sure if that's good behaviour

About

A WASM plugin for Envoy supporting the Open ID Connect Authorization Flow, extending Istio's JWT functionality

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published