Auth Proxy Support

[erikschlegel]

Is your feature request related to a problem? Please describe.
The customer I'm working with requires JWT OAUTH2 token validation for all ingress activity. We're unclear with available approaches for setting up an authentication proxy for our frontend AGIC route. Our identity provider is AAD.

Nginx supports service authentication today

annotations:
  kubernetes.io/ingress.class: nginx
  nginx.ingress.kubernetes.io/auth-url: "http://oauth2-proxy.default.svc.cluster.local:4180/oauth2/auth"
  nginx.ingress.kubernetes.io/auth-signin: "http://<DNS prefix>.<azure region>.cloudapp.azure.com/oauth2/start"

Are there any alternative approaches that would support this use-case?

Describe the solution you'd like
A new annotation in the AGIC where we can provide the authentication url and signin endpoint for the ingress controller.

[IvanJosipovic]

This feature is needed and is preventing my company from moving to the AG Ingress Controller.
It would also be useful to have this feature working without having to run oauth2-proxy in the cluster.

[Karishma-Tiwari-MSFT]

@Caya @erikschlegel Do either of you know if there has been an update on this ask? We have another customer with similar query as below:

"Does Application gateway ingress controller supports JWT validation?
We need to perform JWT Oauth Token validation for all ingress activities in aks.
Nginx support this feature through
location / { proxy_pass: } Or annotations: nginx.ingress.kubernetes.io/auth-url:
Does Application Gateway Ingress Controller(standard v2 sku) supports this functionality."

[mscatyao]

OAuth is not currently supported on AppGW, but is on our roadmap. Until we support it on AppGW, we won't have support for it on AGIC. I can update this thread once it's available on AppGW.

[alchemistake]

Is there a workaround for this?
I'm trying to use oauth2 proxy image as a sidecar to things I want to add auth proxy. I'm getting some weird errors on oauth2 container. From what I read it seems like AGIC is rewriting some stuff oauth container was looking for like cookie, headers etc. Can I configure AGIC to be less abrasive?

[jonno85]

Hi, are there any news on the subject?

[hovermind]

There is a workaround with APIM + AGIC, but that is not feasible (because of high cost). Application Gateway should support Authentication similar to APIM.

[AmudaPalani]

are there any update on this?

[AmudaPalani]

@mscatyao is there any update on this?

[mcabrito]

@mscatyao is there any update on this?

[pownkel]

@mscatyao Is this still on the roadmap for app gateway, and if so can you let us know what the timeframe is?

[seilorjunior]

Do you have any news on that?

[omeryesil]

Any update on this?