Awesome
oidc-filter
oidc-filter
is a Wasm plugin for Envoy/Istio that will redirect users to a given authentication URI if they do not present a JWT token.
Features
- Automatically redirect users with no active session to an OpenID Connect Authorization Server for authorization
- Stores JWT in cookie and transparently writes it to
Authorization
header for every request
How do I use this thing?
Check out the examples/ directory.
Limitations
- oidc-filter doesn't verify the JWTs yet (but Istio does that)
- If the token has expired, AJAX calls with methods other than GET will fail on first attempt (but then succeed afterwards)
- Not using state or nonce yet (so susceptible to replay attacks)
Development
- Running
make
in the root of the repository will buildplugin.wasm
- Running
make image
will build a container image compatible with OpenShift Service Mesh 2.0+ and Istio 1.12+ - See the examples/ directory for how to test your changes
TODO
- Add option to replay POST requests after redirects (so that redirected AJAX calls don't fail)
- Not sure if that's good behaviour