{"id":27824,"date":"2021-04-29T12:31:00","date_gmt":"2021-04-29T10:31:00","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=20240"},"modified":"2024-10-07T08:07:39","modified_gmt":"2024-10-07T06:07:39","slug":"transparent-user-authentication-in-azure-using-istio","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/","title":{"rendered":"Transparent User Authentication in Azure Using Istio"},"content":{"rendered":"<p>In this blog article I will show you how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory.<!--more--><\/p>\n<p>Istio has many features, some of which are not very well documented. One of those features that peaked my interest, when working on bringing Istio to production, is authentication and authorization of end-users based on JSON Web Tokens (JWTs). In this blog post I will explore what exactly Istio has to offer for end-user authentication, what you must build yourself and how to do it. I will use Azure Active Directory (Azure AD) as Identity Provider, but the same principles can also be applied to other Authentication Providers.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#A-short-introduction-to-Istio\" >A short introduction to Istio<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#User-authentication-with-Istio\" >User authentication with Istio<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#Drawbacks-of-my-approach\" >Drawbacks of my approach<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#Comparison-with-other-approaches\" >Comparison with other approaches<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#Closing-remarks\" >Closing remarks<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"A-short-introduction-to-Istio\"><\/span>A short introduction to Istio<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p style=\"padding-left: 30px;\">You can safely skip this part if you already have experience with Istio. I will also only focus on the parts relevant to this blog article, for a more comprehensive overview of Istio refer to the <a href=\"https:\/\/istio.io\/latest\/docs\/concepts\/what-is-istio\/\">official documentation<\/a>.<\/p>\n<p>Istio is a Service Mesh, meaning that it solves common application features related to networking outside the application code. Istio does that by adding a <a href=\"https:\/\/kubernetes.io\/blog\/2015\/06\/the-distributed-system-toolkit-patterns\/#example-1-sidecar-containers\">sidecar proxy<\/a> to each instance of an application, usually a Kubernetes pod, and orchestrating these proxies from a central control plane.<br \/>\nThis allows Istio, among other things, to transparently encrypt all traffic with mTLS and apply authorization policies to all services centrally. Instead of Ingress, Istio uses Gateways to serve as an entrypoint into the mesh where different ways of authentication can be used.<br \/>\nOther features that are not relevant to this article (but still cool!) are advanced traffic management features, such as canary releases or support for the circuit breaker pattern.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"User-authentication-with-Istio\"><\/span>User authentication with Istio<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>At first, my motivation for this blog entry was out of curiosity. The <a href=\"https:\/\/istio.io\/latest\/docs\/concepts\/security\/\">Istio security documentation<\/a> describes a feature called Request authentication:<\/p>\n<blockquote><p>\u201cUsed for end-user authentication to verify the credential attached to the request. Istio enables request-level authentication with JSON Web Token (JWT) validation and a streamlined developer experience using a custom authentication provider or any OpenID Connect providers [&#8230;].\u201c<\/p><\/blockquote>\n<p>In my mind, that sounded like authentication would just be a simple switch that needs to be flipped with some Istio Custom Resource, as I have often experienced with Istio.<\/p>\n<p style=\"padding-left: 30px;\">The technical details with precise instructions can be found in my <a href=\"https:\/\/github.com\/inovex\/demo-istio-azure-auth\">demo repository on GitHub<\/a>.<\/p>\n<p>To test this, I started a small Azure Kubernetes Service (AKS) Cluster and installed Istio in demo mode using istioctl. I also created a DNS entry for my test application, generated a certificate using letsencrypt and set up the Istio Ingress Gateway with this certificate. I chose Prometheus as an authentication-unaware service to enhance, because it was already part of the Istio demo-install and is actually an application that does not implement authentication.<\/p>\n<p>For authentication I <a href=\"https:\/\/docs.microsoft.com\/en-us\/graph\/auth-register-app-v2\">created an Azure app registration<\/a> for the public URL where my prometheus resides and <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/quickstart-configure-app-expose-web-apis\">exposed it as web API<\/a>. That, amongst other things, causes an OAuth2 Permission Scope to be generated.<\/p>\n<p>Now that the basic setup stands, I need to do three things:<\/p>\n<ol>\n<li>obtain an access_token<\/li>\n<li>validate the token<\/li>\n<li>ensure the token is passed on subsequent requests<\/li>\n<\/ol>\n<p>Obtaining a JWT is easy enough using a <a href=\"https:\/\/istio.io\/latest\/docs\/reference\/config\/networking\/virtual-service\/\">VirtualService<\/a> for redirecting users to login.microsoft.com\u2019s OAuth2 login for our Azure Tenant giving the App Scope that I generated before:<\/p>\n<pre class=\"lang:default decode:true\" title=\"redirect-to-login-vservice.yaml\">apiVersion: networking.istio.io\/v1alpha3\r\nkind: VirtualService\r\nmetadata:\r\n  name: prometheus\r\nspec:\r\n  ...\r\n  http:\r\n  - redirect:\r\n      uri: \/&lt;azureTenantId&gt;\/oauth2\/v2.0\/authorize?client_id=&lt;azureAppId&gt;&amp;response_type=code&amp;redirect_uri=https%3A%2F%2F&lt;our-url&gt;%2Floggedin&amp;response_mode=form_post&amp;scope=&lt;azure-app-scope&gt;\r\n      authority: login.microsoftonline.com\r\n      redirectCode: 302<\/pre>\n<p>Validating the token can then be done using Istio\u2019s <a href=\"https:\/\/istio.io\/latest\/docs\/reference\/config\/security\/request_authentication\/\">RequestAuthentication Custom Resource<\/a>, again providing the correct URIs for our tenant and App:<\/p>\n<pre class=\"lang:default decode:true\" title=\"request-authentication.yaml\">apiVersion: security.istio.io\/v1beta1\r\nkind: RequestAuthentication\r\nmetadata:\r\n  name: ingressgateway\r\nspec:\r\n  selector:\r\n    matchLabels:\r\n      istio: ingressgateway\r\n  jwtRules:\r\n  - issuer: \"https:\/\/sts.windows.net\/&lt;azureTenantId&gt;\/\"\r\n    jwksUri: \"https:\/\/login.microsoftonline.com\/&lt;azureTenantId&gt;\/discovery\/keys?appid=&lt;azureAppId&gt;\"<\/pre>\n<p>This Custom Resource alone only attaches an authenticated identity to requests that have a valid JWT, though. To also authorize users, I need another Resource called AuthorizationPolicy. The AuthorizationPolicy is configured to allow authenticated users access everywhere, which implicitly denies unauthenticated users access (as no ALLOW rule matches them).<\/p>\n<pre class=\"lang:default decode:true\" title=\"authorization-policy.yaml\">apiVersion: security.istio.io\/v1beta1\r\nkind: AuthorizationPolicy\r\nmetadata:\r\n  name: ingressgateway\r\nspec:\r\n  selector:\r\n    matchLabels:\r\n      istio: ingressgateway\r\n  action: ALLOW\r\n  rules:\r\n  # this rule allows all authenticated users access\r\n  - from:\r\n    - source:\r\n        requestPrincipals: [\"*\"]<\/pre>\n<p>With this rule setup, I now only need to ensure that every subsequent request to Prometheus passes its users bearer-token in the <code>Authorization<\/code> header. This is actually not as easy as it sounds, because there is no mechanism for telling our user to set this header without implementing it in our authentication-unaware application. Because the goal was not to modify Prometheus, I instead implemented a helper application that accepts the login response from Azure and sets the token as a cookie. The cookie will be passed by the user automatically but Istio does not directly support it. The RequestAuthentication could theoretically be configured to look in the cookie header for the token, but when multiple cookies would be set, it would not be able to distinguish the token from the other cookies.<\/p>\n<p>As a workaround, I chose to simply rewrite the cookie contents into the Authorization header using an <a href=\"https:\/\/istio.io\/latest\/docs\/reference\/config\/networking\/envoy-filter\/\">EnvoyFilter<\/a>. This filter executes a Lua script before the JWT authentication step, that checks if the cookie is present and sets the Authorization header if it is. If no cookie is present, it redirects the user to the \/login endpoint on the original address. Requests to \/login are then exempt from the AuthorizationPolicy, so that the original redirect in our VirtualService can be applied.<br \/>\nAdditionally, I set up a \/loggedin route in our VirtualService that redirects to the helper application and also exempt it from authorization. Finally, I omitted one detail in the initial VirtualService: It of course also has to redirect to Prometheus when a user is authenticated. With the cookie approach, this is done with following route:<\/p>\n<pre class=\"lang:yaml decode:true\" title=\"prometheus-vservice-routes\">  http:\r\n  - name: authenticated-users\r\n    match:\r\n    - headers:\r\n        cookie:\r\n          regex: \".*access_token=.*\"\r\n    route:\r\n    - destination:\r\n        port:\r\n          number: 9090\r\n        host: prometheus<\/pre>\n<p>With this setup, only authorized users can now reach Prometheus, achieving our goal of transparent (to the application) user authentication using Istio.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Drawbacks-of-my-approach\"><\/span>Drawbacks of my approach<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>One issue I found with this, is that the user authentication can only be applied to the Istio Ingress Gateway, meaning that in a production environment separate gateway deployments should probably be used for authenticated and unauthenticated endpoints. My workaround makes this issue more dire, as the Lua script cannot distinguish between endpoints that should be authenticated and endpoints that should not.<\/p>\n<p>My demo is also lacking a logout mechanism. In a productive setup a proper tool should be used for handling the authentication callbacks, e.g. <a href=\"https:\/\/oauth2-proxy.github.io\/oauth2-proxy\/\">OAuth2 Proxy<\/a>. Adding support to Istio for retrieving the JWT from cookies would also simplify the whole process immensely.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Comparison-with-other-approaches\"><\/span>Comparison with other approaches<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When Istio is not already part of your setup, you probably should not install it just for user authentication. Instead two patterns have been used in previous projects of mine, that can enhance an application with authentication on the infrastructure layer in Kubernetes.<\/p>\n<p>The first is using a sidecar container in your application pods running for example keycloak-gatekeeper . This means, each of your pods will grow in size and your requests will pass through the sidecar, which poses a similar overhead as Istio (but for less gain).\u00a0<em>Edit: <a href=\"https:\/\/www.keycloak.org\/2020\/08\/sunsetting-louketo-project.adoc\">keycloak-gatekeeper\u00a0has been sunsetted\u00a0in favor of oauth2-proxy<\/a> since my research for this article. The approach is still valid, since OAuth2-Proxy can be deployed as sidecar.<\/em><\/p>\n<p>The second alternative is securing your application at the Ingress level using the <a href=\"https:\/\/kubernetes.github.io\/ingress-nginx\/examples\/auth\/oauth-external-auth\/\">OAuth2-Proxy integration of ingress-nginx<\/a>. Here, for each request received by nginx, an authentication subrequest is made to OAuth2-Proxy, which supports many cloud providers and Open Source SSO solutions natively. The overhead is lower than with the sidecar approach, but you still need one OAuth2-Proxy deployment per OAuth2 client, as multiple configs are not supported.<\/p>\n<p>While both approaches allow restricting logins to some groups (depending on the used provider in case of OAuth2-Proxy), they still are not as flexible and powerful as Istio.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Closing-remarks\"><\/span>Closing remarks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Enabling user authentication was not as easy as I initially thought. To be fair, the documentation that sent me on my journey only talks about authentication for attached credentials so I have expected more than it was promised. I still think that it would be nice to have a simple option to \u201cswitch on\u201c authentication, maybe through integration with OAuth2-Proxy similar to how ingress-nginx solved it. But you can already use Request Authentication in Istio to transparently authenticate user requests with some extra work, and I think it is really neat.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog article I will show you how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory.<\/p>\n","protected":false},"author":93,"featured_media":27778,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[136,137],"service":[414,879],"coauthors":[{"id":93,"display_name":"Maximilian Bischoff","user_nicename":"mbischoff"}],"class_list":["post-27824","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-authentication","tag-istio","service-cloud","service-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Transparent User Authentication in Azure Using Istio - inovex GmbH<\/title>\n<meta name=\"description\" content=\"This article shows how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory. It explores what exactly Istio has to offer for end-user authentication, what you must build yourself and how to do it.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Transparent User Authentication in Azure Using Istio - inovex GmbH\" \/>\n<meta property=\"og:description\" content=\"This article shows how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory. It explores what exactly Istio has to offer for end-user authentication, what you must build yourself and how to do it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2021-04-29T10:31:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-10-07T06:07:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Maximilian Bischoff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Maximilian Bischoff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"7\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Maximilian Bischoff\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/\"},\"author\":{\"name\":\"Maximilian Bischoff\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/7237fd7d2332686529c05a68d3bb5e86\"},\"headline\":\"Transparent User Authentication in Azure Using Istio\",\"datePublished\":\"2021-04-29T10:31:00+00:00\",\"dateModified\":\"2024-10-07T06:07:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/\"},\"wordCount\":1336,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/istio-transparent-user-authentication.png\",\"keywords\":[\"Authentication\",\"Istio\"],\"articleSection\":[\"English Content\",\"General\",\"Infrastructure\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/\",\"name\":\"Transparent User Authentication in Azure Using Istio - inovex GmbH\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/istio-transparent-user-authentication.png\",\"datePublished\":\"2021-04-29T10:31:00+00:00\",\"dateModified\":\"2024-10-07T06:07:39+00:00\",\"description\":\"This article shows how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory. It explores what exactly Istio has to offer for end-user authentication, what you must build yourself and how to do it.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/istio-transparent-user-authentication.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/istio-transparent-user-authentication.png\",\"width\":1920,\"height\":1080,\"caption\":\"istio lock schloss\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/transparent-user-authentication-in-azure-using-istio\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Transparent User Authentication in Azure Using Istio\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/7237fd7d2332686529c05a68d3bb5e86\",\"name\":\"Maximilian Bischoff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.pnge53c8b418fd0f6a97848f757b9c91dc2\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.png\",\"caption\":\"Maximilian Bischoff\"},\"description\":\"Als Cloud Platform Engineer baut Maximilian Bischoff Infrastruktur f\u00fcr verteilte Applikationen und automatisiert deren Deployment und Operations.\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/mbischoff\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Transparent User Authentication in Azure Using Istio - inovex GmbH","description":"This article shows how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory. It explores what exactly Istio has to offer for end-user authentication, what you must build yourself and how to do it.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/","og_locale":"de_DE","og_type":"article","og_title":"Transparent User Authentication in Azure Using Istio - inovex GmbH","og_description":"This article shows how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory. It explores what exactly Istio has to offer for end-user authentication, what you must build yourself and how to do it.","og_url":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2021-04-29T10:31:00+00:00","article_modified_time":"2024-10-07T06:07:39+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication.png","type":"image\/png"}],"author":"Maximilian Bischoff","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Maximilian Bischoff","Gesch\u00e4tzte Lesezeit":"7\u00a0Minuten","Written by":"Maximilian Bischoff"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/"},"author":{"name":"Maximilian Bischoff","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/7237fd7d2332686529c05a68d3bb5e86"},"headline":"Transparent User Authentication in Azure Using Istio","datePublished":"2021-04-29T10:31:00+00:00","dateModified":"2024-10-07T06:07:39+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/"},"wordCount":1336,"commentCount":0,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication.png","keywords":["Authentication","Istio"],"articleSection":["English Content","General","Infrastructure"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/","url":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/","name":"Transparent User Authentication in Azure Using Istio - inovex GmbH","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication.png","datePublished":"2021-04-29T10:31:00+00:00","dateModified":"2024-10-07T06:07:39+00:00","description":"This article shows how to realize transparent user authentication for an authentication-unaware application using Istio and Azure Active Directory. It explores what exactly Istio has to offer for end-user authentication, what you must build yourself and how to do it.","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/istio-transparent-user-authentication.png","width":1920,"height":1080,"caption":"istio lock schloss"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/transparent-user-authentication-in-azure-using-istio\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"Transparent User Authentication in Azure Using Istio"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/7237fd7d2332686529c05a68d3bb5e86","name":"Maximilian Bischoff","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.pnge53c8b418fd0f6a97848f757b9c91dc2","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.png","caption":"Maximilian Bischoff"},"description":"Als Cloud Platform Engineer baut Maximilian Bischoff Infrastruktur f\u00fcr verteilte Applikationen und automatisiert deren Deployment und Operations.","url":"https:\/\/www.inovex.de\/de\/blog\/author\/mbischoff\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/27824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/93"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=27824"}],"version-history":[{"count":2,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/27824\/revisions"}],"predecessor-version":[{"id":58634,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/27824\/revisions\/58634"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/27778"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=27824"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=27824"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=27824"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=27824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}