I have an application that I want to put behind Envoy Gateway. This application needs to be secured with OIDC on API gateway level. Basic setup like this can be easily achieved and I now have an application with oidc configured, hence whenever I attempt accessing it without proper auth, I get redirected to IdP and can get in after providing creds and going through redirects.
The problem is I also have an application that receives a bearer token from IdP on its own. When I try to access the API using that bearer token, the requests are still redirected to IdP for auth, while they carry a valid bearer token.
I can't find a way to tell OIDC to honor that bearer token and validate that, and when I switch to JWT auth with JWKS from IdP, I can get in with bearer token, but then obviously my other requests do not get redirected to IdP if they are not authenticated properly.
Any hints on how to achieve both with Envoy Gateway ?
Example config I'm experimenting with :
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: authpolicy
spec:
targetRefs:
- group: gateway.networking.k8s.io
kind: HTTPRoute
name: foo
oidc:
provider:
issuer: "https://..."
clientID: "..."
clientSecret:
name: "envoygw-oidc-clientsecret"
forwardAccessToken: true
refreshToken: true
jwt:
providers:
- name: example
remoteJWKS:
uri: https://...
Eventually I found that creating two HTTPRoute objects and adding additional matcher like below to JWT secured routes did the trick.
- headers:
- name: Authorization
type: RegularExpression
value: Bearer .*
path:
type: PathPrefix
value: /foo