Consider supporting client credential flow

[cfryanr]

Shubham Shukla:

Hi, We implemented authservice to be used with keycloak. Combined with istio auth policies, our end user authentication and authorization(using authorization_code grant) works great!
We also have the requirement for service to service communication within the mesh(background jobs for example). For this we would need to use either resource owner flow or client credential flow. Does authservice support that? If not, with istio what is the recommended way to go about this?

[cfryanr]

One possible way to support this would be to look for custom headers on the request which would specify the username/password for a password grant flow or the client_id/client_secret for a client credentials grant flow.

Since requests to the ingress are https, these headers would be encrypted, so it seems fairly safe to put secrets in the headers. Any other security concerns that should be considered?

[peterhaochen47]

The built-in Istio Authorization Policy handles the Service-to-service authZ use case. See this example (https://istio.io/docs/tasks/security/authorization/authz-http/) where they configure rule to make sure "only productpage app can talk to details app."

[p53]

i would like to use this proxy outside of istio ecosystem...