Configuring Cloud Service Mesh user authentication

Caution: There is a known issue with the TRAFFIC_DIRECTOR control planeimplementation. If you are using that implementation, then you must make changesin theistio-asm-managed-rapid configmap, even if you are using a channelother than rapid.

If you have theTRAFFIC_DIRECTORcontrol plane implementation thenthis feature is only supported by allow-list. Please contact support to requestthis feature be allowlisted for your organization

Cloud Service Mesh user authentication is an integrated solution for browser-basedend-user authentication and access control to your deployed workloads. It letsyou integrate with existing Identity Providers (IDP) for user authentication anduses Istio APIs and authorization policies for access management. It is auser-friendly alternative to Istio JSON Web Token (JWT) authentication.

A typical use-case is when an organization uses Cloud Service Mesh to host aweb application for its workforce to access via a web browser. In addition, theorganization needs to use their existing identity provider to manage useridentities. Cloud Service Mesh user authentication makes it easy for users toauthenticate using a standard web-based OpenID Connect (OIDC) login and consentflow. When the user authenticates, Cloud Service Mesh enforces Istioauthorization policies, and on successful authorization, it transmits theidentity to workloads in a secure credential format.

How it works

Cloud Service Mesh user authentication introduces a new component,authservice.This component integrates with the Envoy-based ingress as an externalauthorization service that intercepts all the incoming requests forauthentication.authservice implements the client-side of the OIDC protocoland enables user access to applications via a browser, where users complete aninteractive authentication and consent flow to establish a short-lived session.authservice implements industry standard protocols to integrate with anyidentity provider that can act as a OIDC authorization server. When the user isauthenticated, the principal information is encapsulated in anRCToken in JWTformat, signed byauthservice which it forwards to the Istio authorizationlayer in the ingress. This model provides perimeter access control for trafficinto the mesh. If the user is authorized to access a resource, this RCToken isalso forwarded to the microservices to obtain principal information and enforcefine-grained access control.

The following diagram shows the location ofauthservice in the mesh and how itrelates to the other parts of the mesh, such as the ingress, workloads, user'sbrowser, and any existing IDP.

end user authentication

Administrators can installauthservice as an add-on over a Cloud Service Meshinstallation. When installed,authservice reads the OIDC endpointconfiguration and other associated settings defined in theUserAuth customresource. The administrator can use Cloud Service MeshExternalAuthorization APIsto configureauth_server as a filter on the ingress.

Install the user authentication service

The following steps explain how to configure theauthservice.

Prerequisites

Follow the steps inInstall dependent tools and validate clusterto:
  • If you are using managed Cloud Service Mesh on a private cluster, then ensure thecluster is capable of sending egress traffic to the IDP.

Additionally, ensure that you meet the prerequisites by using the followingsteps.

Customize the installation user authentication overlay

To install the user authentication service, you must customize the Cloud Service Meshinstallation to add a mesh-level external authorization provider. The stepsrequired depend on whether you are using managed or in-cluster Cloud Service Mesh.

Important: Make sure you have kpt v1.0 or later.

Managed

  1. Update theConfigMap to include the user authentication MeshConfig. In the following command,use the sameREVISION_LABEL you used whenprovisioning managed Cloud Service Mesh(such as,asm-managed,asm-managed-rapid,orasm-managed-stable):

    kubectl edit configmap istio-REVISION_LABEL -n istio-system

  2. Add the following text undermesh field in the MeshConfig:

    mesh: |-...  extensionProviders:  - name: "asm-userauth-grpc"    envoyExtAuthzGrpc:      service: "authservice.asm-user-auth.svc.cluster.local"      port: "10003"

  3. Createasm-user-auth namespace.

    kubectlcreatenamespaceasm-user-auth

  4. Enable the namespace for injection. The steps depend on yourcontrol plane implementation.

    Managed (TD)

    Apply the default injection label to the namespace:

    kubectllabelnamespaceasm-user-auth\istio.io/rev-istio-injection=enabled--overwrite

    Managed (Istiod)

    Recommended: Run the following command to apply the default injection label to the namespace:

    ```shkubectl label namespace asm-user-auth \    istio.io/rev- istio-injection=enabled --overwrite```

    If you are an existing user with the Managed Istiod control plane:We recommend that you use default injection, but revision-based injection issupported. Use the following instructions:

    1. Run the following command to locate the available release channels:
    kubectl-nistio-systemgetcontrolplanerevision

    The output is similar to the following:

    NAME                AGEasm-managed-rapid   6d7h
    Note: If two control plane revisions appear in the list above, remove one. Having multiple control plane channels in the cluster is not supported.

    In the output, the value under theNAME column is the revision label that corresponds to the availablerelease channel for the Cloud Service Mesh version.

    1. Apply the revision label to the namespace:

      kubectllabelnamespaceasm-user-auth\istio-injection-istio.io/rev=REVISION_LABEL--overwrite

  5. Install the Istio gatewayin theasm-user-auth namespace.

    kubectlapply-nasm-user-auth-fDIR_PATH/samples/gateways/istio-ingressgateway
    Note:DIR_PATH refers to the location of theanthos-service-mesh-packages repository on your machine. If you do not have this repository on your machine, clone it:git clone https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git

In-cluster

  1. Get the exampleuser auth overlay and update it if there are any customizations in your mesh. It is arecommended best practice to maintain this overlay file in your sourcecontrol.

    curlhttps://raw.githubusercontent.com/GoogleCloudPlatform/asm-user-auth/v1.2.5/overlay/user-auth-overlay.yaml >user-auth-overlay.yaml

  2. Follow theinstall Cloud Service Mesh with overlayto use a Google-provided script to install Cloud Service Mesh with the userauthentication overlay. For example:

    ./asmcliinstall\--project_idPROJECT_ID\--cluster_nameCLUSTER_NAME\--cluster_locationCLUSTER_LOCATION\--fleet_idFLEET_PROJECT_ID\--output_dirDIR_PATH\--enable_all\--custom_overlayuser-auth-overlay.yaml
    Important: If you customize the installation with multiple overlays, ensurethe--custom_overlay option includes all your overlay files.

    The user authenticationkpt packages creates anAuthorizationPolicy toreference the external authorization provider specified bypkg/ext-authz.yaml.

  3. Createasm-user-auth namespace.

    kubectlcreatenamespaceasm-user-auth

  4. Enable the namespace for injection.

    Recommended: Run the following command to apply the default injection label to the namespace:

    kubectllabelnamespaceasm-user-auth\istio.io/rev-istio-injection=enabled--overwrite

    We recommend that you use default injection, but revision-based injection is supported:Use the following instructions:

    1. Use the following command to locate the revision label onistiod:

      kubectlgetdeploy-nistio-system-lapp=istiod-o\jsonpath={.items[*].metadata.labels.'istio\.io\/rev'}'{"\n"}'

    2. Apply the revision label to the namespace. In the following command,REVISION_LABEL is the value of theistiod revisionlabel that you noted in the previous step.

      kubectllabelnamespaceasm-user-auth\istio-injection-istio.io/rev=REVISION_LABEL--overwrite

  5. Install the Istio gatewayin theasm-user-auth namespace.

    kubectlapply-nasm-user-auth-fDIR_PATH/samples/gateways/istio-ingressgateway
    Note:DIR_PATH refers to the location of theanthos-service-mesh-packages repository on your machine. If you do not have this repository on your machine, clone it:git clone https://github.com/GoogleCloudPlatform/anthos-service-mesh-packages.git

Prepare the OIDC client configuration

Set your OIDC client configuration by using the following steps. This guide usesGoogle as an IDP, but you can use any IDP that supports OIDC authentication.

  1. In the Google Cloud console, go toAPI & Services >Credentials.

    Go to Credentials

  2. Go toCreate Credentials, then chooseOAuth client ID. If required,set yourOAuth consent screen options, then configure the followingoptions:

    • SetApplication type toWeb application.
    • SetAuthorized redirect URI tohttps://REDIRECT_HOST/REDIRECT_PATH.For example, for localhost you could set tohttps://localhost:8443/_gcp_asm_authenticate.

    Then, clickSave.

  3. In addition, save your OIDC client configuration to use later.

    exportOIDC_CLIENT_ID=CLIENT_IDexportOIDC_CLIENT_SECRET=CLIENT_SECRETexportOIDC_ISSUER_URI=ISSUER_URIexportOIDC_REDIRECT_HOST=REDIRECT_HOSTexportOIDC_REDIRECT_PATH=REDIRECT_PATH

Get thekpt packages

Use the following steps to install the recommendedauthservice configurationfrom thepublic repository. Thesecommands retrieve the latestauthservice container and start it as a Pod intheasm-user-auth namespace. It also configures the ingress to intercept allrequests.

Get the kpt package:

kptpkggethttps://github.com/GoogleCloudPlatform/asm-user-auth.git/@v1.2.5.cdasm-user-auth/

Set the redirection URL and secret for ingress gateway

OAuth2 requires a redirection URL hosted on an HTTPS-protected endpoint. Thesecommands are for example purposes and simplify setup by generating a self-signedcertificate for the Istio ingress gateway.

Important: A production deployment should not use self-signed certificates.

  1. Generate a self-signed certificate:

    opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem\-days365-nodes-subj'/CN=localhost'

  2. Create a secret for the ingress gateway to host HTTPS traffic:

    kubectlcreate-nasm-user-authsecrettlsuserauth-tls-cert--key=key.pem\--cert=cert.pem

Apply the encryption and signing keys

Theauthservice needs two sets of keys to operate successfully. The first is asymmetric key for encryption and decryption. This key is used for encrypting thesession state before setting that as a cookie.

The second set of keys are a public/private key pair. This key is used to signthe authenticated user information in JWT format as an RCToken. The public keyfrom this pair is published at a predefined endpoint that the sidecars can useto validate the JWT.

The user authenticationkpt package contains two sample keys for quick setup.However, you can use your preferred key management system to generate these keysinstead.

  1. Prepare the session encryption key with following format or use the samplefrom the pkg, which you can view bycat ./samples/cookie_encryption_key.json.

    {"keys":[{"kty":"oct","kid":"key-0","K":"YOUR_KEY","useAfter":1612813735}]}

    You can generate a test AES key with following command:

    opensslenc-aes-256-cbc-kmycustomkey-P-mdsha1|grepkey

  2. Prepare the RCToken signing key with following format or use the samplefrom the pkg, which you can view bycat ./samples/rctoken_signing_key.json.

    {"keys":[{"kty":"RSA","kid":"rsa-signing-key","K":"YOUR_KEY",#kcontainsaBase64encodedPEMformatRSAsigningkey."useAfter":1612813735#unixtimestamp}]}

    You can generate a test 512-bit RSA private key with following command:

    opensslgenpkey-algorithmRSA-outrsa_private.pem-pkeyoptrsa_keygen_bits:512

  3. Create the kubernetes secret, whichauthservice will mount into its ownfile system.

    Important: In a production environment, generate your own keys to populatethe JSON file instead.
    kubectlcreatesecretgenericsecret-key\--from-file="session_cookie.key"="./samples/cookie_encryption_key.json"\--from-file="rctoken.key"="./samples/rctoken_signing_key.json"\--namespace=asm-user-auth

Deploy the user authentication service

The following commands create the user authentication service and deployment intheasm-user-auth namespace.

Set the necessary values for User Auth configuration. The client ID andsecret are stored as Kubernetes secrets, so we use Base64 to encode them.Please visitpublic repositoryto view all available setters.

kptfnevalpkg--imagegcr.io/kpt-fn/apply-setters:v0.2--truncate-output=false--\client-id="$(echo-n${OIDC_CLIENT_ID}|base64-w0)"\client-secret="$(echo-n${OIDC_CLIENT_SECRET}|base64-w0)"\issuer-uri="${OIDC_ISSUER_URI}"\redirect-host="${OIDC_REDIRECT_HOST}"\redirect-path="${OIDC_REDIRECT_PATH}"

Apply thekpt package:

# Remove the potential alpha version CRD if exists.kubectldeletecrduserauthconfigs.security.anthos.iokubectlapply-f./pkg/asm_user_auth_config_v1beta1.yamlkubectlapply-f./pkg

Theauthservice consumes theUserAuthConfig CRD to provide end userauthentication.UserAuthConfig is configurable in the run time, and you canupdate it to change theauthservice behavior and configure it with endpointsfor any OIDC authorization server.

You can view the file bycat pkg/user_auth_config.yaml, it contains these fields:

apiVersion:security.anthos.io/v1beta1kind:UserAuthConfigmetadata:name:user-auth-confignamespace:asm-user-authspec:authentication:oidc:certificateAuthorityData:""# kpt-set: ${ca-cert}issuerURI:"<yourissueruri>"# kpt-set: ${issuer-uri}proxy:""# kpt-set: ${proxy}oauthCredentialsSecret:name:"oauth-secret"# kpt-set: ${secret-name}namespace:"asm-user-auth"# kpt-set: ${secret-namespace}redirectURIHost:""# kpt-set: ${redirect-host}redirectURIPath:"/_gcp_asm_authenticate"# kpt-set: ${redirect-path}scopes:""# kpt-set: ${scopes}groupsClaim:""# kpt-set: ${groups}outputJWTAudience:"test_audience"# kpt-set: ${jwt-audience}

Seeuser authentication configuration detailsfor detailed descriptions of theuser_auth_config.yaml fields.

Configure API Request Identifiers

Note: API request identifiers are only supported on Cloud Service Mesh user authentication versions 1.2.5 and higher.

API request identifiers are a set ofCommon Expression Language (CEL)expressions used by Cloud Service Mesh user authentication to identify APIrequests. By defining these identifiers, you enable Cloud Service Mesh userauthentication to handle API request authentication failures semantically.

Specifically, when you provide CEL expressions that identify your API requests,you allow Cloud Service Mesh user authentication to fail unauthenticated APIrequests with a 401-Unauthorized status code. This is crucial for clients likeCLIs and service accounts, which expect this status code for unauthenticated APIrequests.

Without API request identifiers, Cloud Service Mesh user authentication willredirect all unauthenticated requests to the configured OpenID Connect (OIDC) provider,returning a 302-Found status code. This redirect behavior is generally undesirablefor API requests, which expect a 401-Unauthorized on failure.

To define your API request identifiers, add anapiRequestIdentifier section toyourUserAuthConfig CR. This allows adding multiple CEL expressions. If multipleCEL expressions are provided, a request is considered an API request if it matchesat least one of them.

The following example shows how to designate as an API request: any requestcontaining the headerexample-api-header, any request directed to the hostapi.example.com, or any request targeting a path under/v1/api/.

Note: Fields relevant toapiRequestIdentifier are highlighted.
apiVersion:security.anthos.io/v1beta1kind:UserAuthConfigmetadata:name:user-auth-confignamespace:asm-user-authspec:authentication:oidc:certificateAuthorityData:""# kpt-set: ${ca-cert}issuerURI:"<yourissueruri>"# kpt-set: ${issuer-uri}proxy:""# kpt-set: ${proxy}oauthCredentialsSecret:name:"oauth-secret"# kpt-set: ${secret-name}namespace:"asm-user-auth"# kpt-set: ${secret-namespace}redirectURIHost:""# kpt-set: ${redirect-host}redirectURIPath:"/_gcp_asm_authenticate"# kpt-set: ${redirect-path}scopes:""# kpt-set: ${scopes}groupsClaim:""# kpt-set: ${groups}outputJWTAudience:"test_audience"# kpt-set: ${jwt-audience}apiRequestIdentifier:name:"api-request-identifiers"expressions:-"'example-api-header'inhttp_request.headers"-"http_request.host==api.example.com"-"matches(http_request.path,'/v1/api/(.*)')"# other expressions go here

Cloud Service Mesh user authentication CEL expressions can be constructedfrom the following fields:

Note: Cloud Service Mesh user authentication CEL expressions must evaluate toa boolean value (True or False).

  1. http_request.headers: A map of the HTTP request headers, where the keys arelowercase strings and the values are vectors of strings.

    Use this field in your CEL expression to designate requests with specificheaders as API requests.

  2. http_request.host: The requested HTTP URL host (e.g.api.example.com).

    Use this field in your CEL expression to designate requests to specific hostsas API requests.

  3. http_request.path: The requested HTTP URL path (e.g./example-api-path).This always starts with '/' and does not contain the query component of therequest URL.

    Use this field in your CEL expression to designate requests with specificpaths as API requests.

The next section shows sample CEL expressions that check and match parts of thesefields to inform Cloud Service Mesh user authentication on how to determinewhich requests are API requests.

Sample Expressions

Match all requests that contain the headerX-API-Key:

Note: the header must be specified in lowercase.
"'x-api-key'inhttp_request.headers"

Match all requests with the headerX-API-Key set to a particular value:

Note: the header must be specified in lowercase.
"'x-api-key'inhttp_request.headers &&http_request.headers['x-api-key'].values==['example-value']"

Match all requests to the hostapi.example.com:

"http_request.host==api.example.com"

Match all requests to the path/api/query:

Note: paths must start with a/.
"http_request.path==/api/query"

Match all requests to any path under/api/:

"matches(http_request.path,'/api/(.*)')"

Perform post-install tasks

The following tasks are required after you finish the previous installationsteps.

Enable user authentication for your applications

This section demonstrates how to enable user authentication, by using thehttpbin as an example.

Cloud Service Mesh user authentication uses aCUSTOMtyped authorization policy to trigger the OIDC flow.

After you haveinstalled the Istio gateway,configure it to serve HTTPS traffic using the TLS certificateuserauth-tls-certyou created above. Below is thepkg/gateway.yaml configuration that you justinstalled.

apiVersion:networking.istio.io/v1beta1kind:Gatewaymetadata:name:userauthnamespace:asm-user-authspec:selector:istio:ingressgatewayservers:-hosts:-'*'port:name:httpsnumber:443protocol:HTTPStls:mode:SIMPLEcredentialName:userauth-tls-cert---# This ensures the OIDC endpoint has at least some route defined.apiVersion:networking.istio.io/v1beta1kind:VirtualServicemetadata:name:userauth-oidcnamespace:asm-user-authspec:gateways:-userauthhosts:-'*'http:-match:-uri:prefix:/status-uri:prefix:"your-oidc-redirect-path"name:user-auth-routeroute:-destination:host:authserviceport:number:10004

  1. Labeldefault namespace to enableistio-proxy auto injection fordeployments.

    kubectllabelnamespacedefaultistio.io/rev=REVISION--overwrite

  2. Deployhttpbin todefault namespace.

    kubectlapply-fhttps://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml-ndefault

  3. Updatehttpbin to use this gateway to serve HTTPS traffic, and use portforwarding to access the application locally:

    kubectlapply-f./samples/httpbin-route.yaml-ndefaultkubectlport-forwardservice/istio-ingressgateway8443:443-nasm-user-auth
    apiVersion:networking.istio.io/v1alpha3kind:VirtualServicemetadata:name:httpbinnamespace:defaultspec:gateways:-asm-user-auth/userauthhosts:-'*'http:-match:-uri:prefix:/ip-uri:prefix:/headersname:httpbin-routesroute:-destination:host:httpbin.default.svc.cluster.localport:number:8000

    The ingress gateway on port 8443 will be forwarded tolocalhost to makethe application accessible locally.

  4. Deploy thesamples/rctoken-authz.yaml to enable RequestAuthentication andAuthorizationPolicy to verify the RCToken for the requests.

    kubectlapply-f./samples/rctoken-authz.yaml-nasm-user-auth

    Examplesamples/rctoken-authz.yaml:

    apiVersion:security.istio.io/v1beta1kind:RequestAuthenticationmetadata:name:require-rc-tokenspec:selector:matchLabels:istio:ingressgatewayjwtRules:-issuer:"authservice.asm-user-auth.svc.cluster.local"audiences:-"test_audience"jwksUri:"http://authservice.asm-user-auth.svc.cluster.local:10004/_gcp_user_auth/jwks"fromHeaders:-name:X-ASM-RCTOKENforwardOriginalToken:true---apiVersion:security.istio.io/v1beta1kind:AuthorizationPolicymetadata:name:require-rc-tokenspec:selector:matchLabels:istio:ingressgatewayaction:ALLOWrules:-when:-key:request.auth.claims[iss]values:-authservice.asm-user-auth.svc.cluster.local-key:request.auth.claims[aud]values:-test_audience

Verify user authentication

Thehttpbin serves two paths,/ip is publicly accessible and/headersrequires the end user to login via their configured IDP.

Important: User would need to trust the self-signed certificate in this case.

  1. Verify that you are able to access/ip directly by visitinghttps://localhost:8443/ip.

  2. Verify that you see the OIDC login page by visitinghttps://localhost:8443/headers.

  3. After you login, clickNext and verify that it redirects you to the/headers page.

Configure authorization policies

After you finish the configuration in the previous steps, each user will beredirected through a web-based authentication flow. When the flow completes, theauthservice will generate anRCToken in JWT format, which it uses totransmit the authenticated user information.

  1. Add Istio authorization policies at the ingress to ensure that anauthorization check occurs for each authenticated user:

    kubectlapply-f./samples/httpbin-authz.yaml-nasm-user-auth

  2. Thehttpbin-authz.yaml file configures the ingress gateway to validate theRC token issued by authservice, and only authorize when the JWT contains thedesired fields, such as audiences and issuers.

    See the following example authorization policy:

    apiVersion:security.istio.io/v1beta1kind:AuthorizationPolicymetadata:name:require-rc-tokenspec:selector:matchLabels:istio:ingressgatewayaction:ALLOWrules:-to:-operation:paths:["/ip"]-to:when:-key:request.auth.claims[iss]values:-authservice.asm-user-auth.svc.cluster.local-key:request.auth.claims[aud]values:-test_audience-key:request.auth.claims[sub]values:-allowed_user_sub_1# Change this with the "sub" claim in the RC token. Wildcard '*' will match everything.

Configure environment-specific settings

The previous steps uselocalhost and a self-signed HTTPS certificate for quicksetup. For real production use, use your own domain, such asexample.com.

In addition, ensure thecertificateAuthorityData has the intended root certcontent. For example, if the IDP is trusted with system's root certs, you canleave it empty. If there is a HTTPS proxy terminating the HTTPS connection, itshould be set to the proxy's root cert.

Manage and rotate keys

There are two sets of keys used byauthservice. You can rotate each keyindependently. However, before you rotate the keys, it is important tounderstand how the rotation works.

Both keys are in JSON format. TheuseAfter field specifies the timestamp sincewhen the key will be considered to use. During a key rotation, you shouldinclude both old and new keys in the JSON. For example, in the followingexample,new-key will only be used after timestamp1712813735.

{"keys":[{"kty":"RSA","kid":"old-key","K":"...",#kcontainsaBase64encodedPEMformatRSAsigningkey."useAfter":1612813735,#unixtimestamp}{"kty":"RSA","kid":"new-key","K":"...",#kcontainsaBase64encodedPEMformatRSAsigningkey."useAfter":1712813735,#unixtimestamp}]}

Cloud Service Mesh uses the symmetric key for encrypting session data that is storedin browser cookies. To ensure validity of existing sessions,authserviceattempts decryption with all keys in the key set. On rotation, theauthservicewill use the new key for encrypting new sessions, and will continue to attemptdecryption with the old keys.

The public/private key pair is used to signRCToken. The public key istransmitted to the sidecars byistiod for JWT verification. It is crucial forsidecars to receive the new public key beforeauthservice starts using the newprivate key to sign theRCToken. To that end,authservice starts publishingthe public key immediately after the key is added, but waits a significantamount of time before starting to use that to signRCToken.

To summarize, when performing key rotations we recommend:

  1. Perform regular key rotations or on demand as you need.
  2. In the JSON format, include both the current and the new keys. The new keysshould be associated with a timestamp in the future. We recommend that youspecify a timestamp at least a couple of hours ahead of the current time.
  3. Monitor and confirm that the services are still healthy after the new key isin use. Wait at least one day after the new key is being used before movingto next step.
  4. Remove the old keys from the JSON entries. They are no longer needed.

Multi Cluster Deployment

Cloud Service Mesh user authentication supports multi cluster deployment. Youneed to deploy user auth in each cluster as described above. The user authconfiguration such as UserAuth custom resource, OIDC client secret, encryptionkeys, all need to be replicated in each clusters.

By default ingress gateway will load balance the authentication requests to anyone ofauthservice instances. You can use destination rule to configure theingress gateway to send requests to theauthservice in the same cluster, andonly fail over to other clusters'authservice.

apiVersion:networking.istio.io/v1beta1kind:DestinationRulemetadata:name:authservice-fail-overnamespace:asm-user-authspec:host:authservice.asm-user-auth.svc.cluster.localtrafficPolicy:loadBalancer:localityLbSetting:enabled:truefailover:-from:us-eastto:us-west-from:us-westto:us-east

Same as other configuration, this needs to be configured in each cluster.

Custom claims mapping

To configure custom claims mapping, configurespec.authentication.oidc.attributeMappingto define any mappings from original identity provider's IDToken. The key will be the claimname in the RCToken and value is a CEL expression on how to parse the claim from IDToken,useassertion to reference the IDToken.

Example:

spec:authentication:oidc:attributeMapping:aud_copy:assertion.auddecision:'assertion.sub.startsWith("123")?"success":"fail"'

In the RCToken, a nested claimattributes contains the claims that been configured:

"attributes":{"aud_copy":"foo.googleusercontent.com","decision":"success"}

If the CEL expression fails to parse the value from IDToken, it will ignorethe claim without failing the authentication flow.

User Auth upgrades

  1. Install the user-auth packages again as it contains the updated binary for new user-auth version:

    kptpkggethttps://github.com/GoogleCloudPlatform/asm-user-auth.git/@v1.2.5.cdasm-user-auth/

  2. Save your OIDC client configuration:

    exportOIDC_CLIENT_ID=CLIENT_IDexportOIDC_CLIENT_SECRET=CLIENT_SECRETexportOIDC_ISSUER_URI=ISSUER_URIexportOIDC_REDIRECT_HOST=REDIRECT_HOSTexportOIDC_REDIRECT_PATH=REDIRECT_PATH

  3. Deploy the user authentication serviceto upgrade to a new version.

User authentication configuration details

The following table describes each field in the CRD:

Field nameDescription
authentication.oidcThis section holds the OIDC endpoint configuration and the parameters usedin OIDC flow.
authentication.oidc.certificateAuthorityDataThis is the SSL root certificate of the domain of the OIDC authorizationserver or HTTPS proxy if there is any.
authentication.oidc.oauthCredentialsSecretSecret references to the Kubernetes Opaque type secret which contains OAuth2 OIDC client_id and client_secret in JSON payload.
authentication.oidc.issuerURIThe URI to use as the issuer in the output RCToken.
authentication.oidc.proxyProxy server to the OIDC IDP, if applicable. With formathttp://user:password@10.10.10.10:8888.
authentication.oidc.redirectURIHostThe host to be used for OAuth termination URI. If you leave this empty, the host from thetarget URL will be used and the redirect URI will be assembled dynamically.
This value can be used when a user auth SSO session is desired at a higherlevel domain. For example, to enable SSO between profile.example.com/ andadmin.example.com/, this value can be set to example.com. It will enable a user authsession to be established at example.com that'll be shared amongst all subdomains.Note: If multiple domains are served from the same mesh,example1.com and example2.com, the feature cannot be used, and isrecommended to be left empty.
authentication.oidc.redirectURIPathThe endpoint path whereauthservice will terminate the OAuth flow. Youshould register this URI path plus the host as an authorized redirect URI in theauthorization server for theauthentication.oidc.clientID.
In addition, this URI should be served from the same service mesh andingress whereauthservice is enabled.
authentication.oidc.scopesThe OAuth scope that should be requested in the authenticationrequest. Comma-separated list of identifiers used to specify what accessprivileges are being requested in addition to "openid" scope, eg. "groups,allatclaim".
authentication.oidc.groupsClaimIf theidtoken contains a groups claim, use this field to indicateits name. If specified, the service will pass on the data in thisclaim into thegroups claim in the output RCToken. This claim should contain a comma-separated list of strings, eg. ["group1", "group2"].
authentication.oidc.attributeMappingContains one or more claim mappings fromidtoken followed CEL expressions. All claimsshould be referenced byassertion.X,assertion is referencedto the original IDToken, for exampleaud_copy: assertion.aud.
authentication.outputJWTAudienceThe audience of the RCToken generated byauthservice. The sidecars canvalidate the incoming RCToken against this audience value.

Troubleshoot

  1. Network accessibility to IDP.

    Possible log:error: TLS handshake failed..

    Verify by executingcurl from the ephemeral container attached to theistio-proxy to callIDP issuer URI. For example, seeCollecting Cloud Service Meshlogs.

    If you're unable to connect, check the firewall rules orother network configurations for the cluster.

  2. Root CA certificate.

    Possible log:error: The server's TLS certificate did not match expectations.orerror: TLS handshake failed..

    Make sure thecertificateAuthorityData holds the correct root CA certificate.When there is no HTTPS proxy terminating HTTPS traffic, this should hold the rootCA certificate for the IDP. If there is one, this should hold the proxy's instead.

  3. Redirect path configuration.

    Possible observation: receive 404 error page during OIDC authentication flow.

    User Auth returns the "Set-Cookie" header without using the path attribute,which by default the browser uses the directory of the request url as thecookie path (scope of the cookie related to path). So we recommend to notinclude "/" in the redirect path unless you are intended.

  4. The sidecar is not able to fetch jwksUri.

    In some scenarios, asidecar restriction could lead to failure of fetching jwksUri. If the namespace isnot present using a wildcard (for example,./* oristio-system/*) thenthis will not work. You must manually add their namespace in the egresssidecar.

FAQs

  1. How do I upgrade Cloud Service Mesh with User Auth enabled?

    Follow theCloud Service Mesh upgradeprocess and specify the overlay file by adding--custom_overlay user-auth-overlay.yaml on the command line toasmcli install.

  2. How much resources should we provision for theauthservice? And how manyrequests per second can it handle?

    By default,authservice is configured with 2.0 vCPU, 256Mi memory. Undersuch configuration,authservice is able to handle 500 requests per second.To handle larger amounts of requests, you should provisionmore CPU,which is roughly proportionally to its requests handling capacity. You canalso configure multiple replicas of the authservice to increase thehorizontal scalability.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.