Combine OIDC and external auth security policies

[chessman]

Description:
I'm trying to combine OIDC and external auth security polices. The idea is to perform a check using an external service for a forwarded Authorization header received in the OAuth2 authentication.

I followed both guides:
https://gateway.envoyproxy.io/docs/tasks/security/oidc/
https://gateway.envoyproxy.io/docs/tasks/security/ext-auth/

They work separately, but when I enable both, the external auth takes precedence, resulting in a 403 error. Is it possible to change the order in which the policies are applied?

[arkodg]

@chessman you should be able to do this using the filterOrder feature https://gateway.envoyproxy.io/docs/tasks/operations/customize-envoyproxy/#customize-filter-order

[chessman]

@arkodg Thanks for the hint. It started to work with a changed order but there are issues:

• Both policies should have the same target, it doesn't work when one policy targets Gateway and another targets HTTPRoute.
• headersToBackend is ignored when OAuth2 filter is enabled before External Authorization.
• The configuration stops working if the OAuth2 filter is recreated (kubectl delete/apply). It is needed to recreated the ext_authz filter to make it work again.

This is what I did: https://gist.github.com/chessman/800b328c484f5ea9ff260537ec8a9ebb

[arkodg]

cc @zhaohuabing