Configuring Anthos Service Mesh user authentication

Anthos Service Mesh user authentication is an integrated solution for browser-based end-user authentication and access control to your deployed workloads. It lets you integrate with existing Identity Providers (IDP) for user authentication and uses Istio APIs and authorization policies for access management. It is a user-friendly alternative to Istio JSON Web Token (JWT) authentication.

A typical use-case is when an organization uses Anthos Service Mesh to host a web application for its workforce to access via a web browser. In addition, the organization needs to use their existing identity provider to manage user identities. Anthos Service Mesh user authentication makes it easy for users to authenticate using a standard web-based OpenID Connect (OIDC) login and consent flow. When the user authenticates, Anthos Service Mesh enforces Istio authorization policies, and on successful authorization, it transmits the identity to workloads in a secure credential format.

How it works

Anthos Service Mesh user authentication introduces a new component, authservice. This component integrates with the Envoy-based ingress as an external authorization service that intercepts all the incoming requests for authentication. authservice implements the client-side of the OIDC protocol and enables user access to applications via a browser, where users complete an interactive authentication and consent flow to establish a short-lived session. authservice implements industry standard protocols to integrate with any identity provider that can act as a OIDC authorization server. When the user is authenticated, the principal information is encapsulated in an RCToken in JWT format, signed by authservice which it forwards to the Istio authorization layer in the ingress. This model provides perimeter access control for traffic into the mesh. If the user is authorized to access a resource, this RCToken is also forwarded to the microservices to obtain principal information and enforce fine-grained access control.

The following diagram shows the location of authservice in the mesh and how it relates to the other parts of the mesh, such as the ingress, workloads, user's browser, and any existing IDP.

end user authentication

Administrators can install authservice as an add-on over an Anthos Service Mesh installation. When installed, authservice reads the OIDC endpoint configuration and other associated settings defined in the UserAuth custom resource. The administrator can use Anthos Service Mesh ExternalAuthorization APIs to configure auth_server as a filter on the ingress.

Install the user authentication service

The following steps explain how to configure the authservice.


Follow the steps in Install dependent tools and validate cluster to:

Ensure that you meet the prerequisites by using the following steps.

Customize the installation using the user authentication overlay

To install the user authentication service, you must customize the Anthos Service Mesh installation to add a mesh-level external authorization provider.

kpt v1+

Get the example user auth overlay and update it if there are any customizations in your mesh. It is a recommended best practice to maintain this overlay file in your source control.

curl > user-auth-overlay.yaml

kpt v1-

Get the example user auth overlay and update it if there are any customizations in your mesh. It is a recommended best practice to maintain this overlay file in your source control.

curl > user-auth-overlay.yaml
  1. Follow the install Anthos Service Mesh with overlay to use a Google-provided script to install Anthos Service Mesh with the user authentication overlay. For example:

    ./asmcli install \
      --project_id "PROJECT_ID" \
      --cluster_name "CLUSTER_NAME" \
      --cluster_location "CLUSTER_LOCATION" \
      --fleet_id FLEET_PROJECT_ID \
      --output_dir DIR_PATH \
      --enable_all \
      --custom_overlay user-auth-overlay.yaml

    The user authentication kpt packages creates an AuthorizationPolicy to reference the external authorization provider specified by pkg/ext-authz.yaml.

  2. Create and label asm-user-auth namespace.

    kubectl create namespace asm-user-auth
    kubectl label namespace asm-user-auth --overwrite

    You can find the REVISION label value by checking kubectl get pod -n istio-system -L

  3. Install the Istio gateway in the asm-user-auth namespace.

    kubectl apply -n asm-user-auth -f DIR_PATH/samples/gateways/istio-ingressgateway

Prepare the OIDC client configuration

Set your OIDC client configuration by using the following steps. This guide uses Google as an IDP, but you can use any IDP that supports OIDC authentication.

  1. In the Google Cloud console, go to API & Services > Credentials.

    Go to Credentials

  2. Go to Create Credentials, then choose OAuth client ID. If required, set your OAuth consent screen options, then configure the following options:

    • Set Application type to Web application.
    • Set Authorized redirect URI to https://<your-oidc-redirect-host>/<your-oidc-redirect-path>. For example, for localhost you could set to https://localhost:8443/_gcp_asm_authenticate.

    Then, click Save.

  3. In addition, save your OIDC client configuration to use later.

    export OIDC_CLIENT_ID='<your-client-id>'
    export OIDC_CLIENT_SECRET='<your-client-secret>'
    export OIDC_ISSUER_URI=''
    export OIDC_REDIRECT_HOST='https://localhost:8443'
    export OIDC_REDIRECT_PATH='/_gcp_asm_authenticate'

Get the kpt packages

Use the following steps to install the recommended authservice configuration from the public repository. These commands retrieve the latest authservice container and start it as a Pod in the asm-user-auth namespace. It also configures the ingress to intercept all requests.

kpt v1+

Get the kpt package:

kpt pkg get .
cd asm-user-auth/

kpt v1-

Get the kpt package:

kpt pkg get .
cd asm-user-auth/

Set the redirection URL and secret for ingress gateway

OAuth2 requires a redirection URL hosted on an HTTPS-protected endpoint. These commands are for example purposes and simplify setup by generating a self-signed certificate for the Istio ingress gateway.

  1. Generate a self-signed certificate:

    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
     -days 365 -nodes -subj '/CN=localhost'
  2. Create a secret for the ingress gateway to host HTTPS traffic:

    kubectl create -n asm-user-auth secret tls userauth-tls-cert --key=key.pem \

Apply the encryption and signing keys

The authservice needs two sets of keys to operate successfully. The first is a symmetric key for encryption and decryption. This key is used for encrypting the session state before setting that as a cookie.

The second set of keys are a public/private key pair. This key is used to sign the authenticated user information in JWT format as an RCToken. The public key from this pair is published at a predefined endpoint that the sidecars can use to validate the JWT.

The user authentication kpt package contains two sample keys for quick setup. However, you can use your preferred key management system to generate these keys instead.

  1. Prepare the session encryption key with following format or use the sample from the pkg, which you can view by cat ./samples/cookie_encryption_key.json.

            "useAfter": 1612813735

    You can generate a test AES key with following command:

    openssl enc -aes-256-cbc -k mycustomkey -P -md sha1 | grep key
  2. Prepare the RCToken signing key with following format or use the sample from the pkg, which you can view by cat ./samples/rctoken_signing_key.json.

            "K":"YOUR_KEY",  # k contains a Base64 encoded PEM format RSA signing key.
            "useAfter": 1612813735  # unix timestamp

    You can generate a test 256-bit RSA private key with following command:

    openssl genpkey -algorithm RSA -out rsa_private.pem -pkeyopt rsa_keygen_bits:256
  3. Create the kubernetes secret, which authservice will mount into its own file system.

    kubectl create secret generic secret-key  \
        --from-file="session_cookie.key"="./samples/cookie_encryption_key.json" \
        --from-file="rctoken.key"="./samples/rctoken_signing_key.json"  \

Deploy the user authentication service

The following commands create the user authentication service and deployment in the asm-user-auth namespace.

kpt v1+

Set the necessary values for User Auth configuration. The client ID and secret are stored as Kubernetes secrets, so we use Base64 to encode them. Please visit public repository to view all available setters.

kpt fn eval pkg --image --truncate-output=false -- \
  client-id="$(echo -n ${OIDC_CLIENT_ID} | base64 -w0)" \
  client-secret="$(echo -n ${OIDC_CLIENT_SECRET} | base64 -w0)" \
  issuer-uri="${OIDC_ISSUER_URI}" \
  redirect-host="${OIDC_REDIRECT_HOST}" \

kpt v1-

Set the necessary values for User Auth configuration. The client ID and secret are stored as Kubernetes secrets, so we use Base64 to encode them. Please visit Kptfile to view all available setters.

kpt cfg set pkg anthos.servicemesh.user-auth.oidc.clientID $(echo -n ${OIDC_CLIENT_ID} | base64 -w0)
kpt cfg set pkg anthos.servicemesh.user-auth.oidc.clientSecret $(echo -n ${OIDC_CLIENT_SECRET} | base64 -w0)
kpt cfg set pkg anthos.servicemesh.user-auth.oidc.issuerURI ${OIDC_ISSUER_URI}
kpt cfg set pkg anthos.servicemesh.user-auth.oidc.redirectURIHost ${OIDC_REDIRECT_HOST}
kpt cfg set pkg anthos.servicemesh.user-auth.oidc.redirectURIPath ${OIDC_REDIRECT_PATH}

Apply the kpt package:

# Remove the potential alpha version CRD if exists.
kubectl delete crd
kubectl apply -f ./pkg/asm_user_auth_config_v1beta1.yaml
kubectl apply -f ./pkg

The authservice consumes the UserAuthConfig CRD to provide end user authentication. UserAuthConfig is configurable in the run time, and you can update it to change the authservice behavior and configure it with endpoints for any OIDC authorization server.

You can view the file by cat pkg/user_auth_config.yaml, it contains these fields:

kpt v1+

kind: UserAuthConfig
  name: user-auth-config
  namespace: asm-user-auth
      certificateAuthorityData: ""  # kpt-set: ${ca-cert}
      issuerURI: "<your issuer uri>"  # kpt-set: ${issuer-uri}
      proxy: ""  # kpt-set: ${proxy}
        name: "oauth-secret"  # kpt-set: ${secret-name}
        namespace: "asm-user-auth"  # kpt-set: ${secret-namespace}
      redirectURIHost: ""  # kpt-set: ${redirect-host}
      redirectURIPath: "/_gcp_asm_authenticate"  # kpt-set: ${redirect-path}
      scopes: ""  # kpt-set: ${scopes}
      groupsClaim: ""  # kpt-set: ${groups}
  outputJWTAudience: "test_audience"  # kpt-set: ${jwt-audience}

kpt v1-

kind: UserAuthConfig
  name: user-auth-config
  namespace: asm-user-auth
      certificateAuthorityData: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.certificateAuthorityData"}
        name: "oauth-secret"  # {"$ref":"#/definitions/"}
        namespace: "asm-user-auth"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.oauthCredentialsSecret.namespace"}
      issuerURI: "<your issuer uri>"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.issuerURI"}
      proxy: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.proxy"}
      redirectURIHost: ""  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIHost"}
      redirectURIPath: "/_gcp_asm_authenticate"  # {"$ref":"#/definitions/io.k8s.cli.setters.anthos.servicemesh.user-auth.oidc.redirectURIPath"}
  outputJWTAudience: "test_audience"

See user authentication configuration details for detailed descriptions of the user_auth_config.yaml fields.

Perform post-install tasks

The following tasks are required after you finish the previous installation steps.

Enable user authentication for your applications

This section demonstrates how to enable user authentication, by using the httpbin as an example.

Anthos Service Mesh user authentication uses a CUSTOM typed authorization policy to trigger the OIDC flow.

After you have installed the Istio gateway, configure it to serve HTTPS traffic using the TLS certificate userauth-tls-cert you created above. Below is the pkg/gateway.yaml configuration that just been installed.

kind: Gateway
  name: userauth
  namespace: asm-user-auth
    istio: ingressgateway
  - hosts:
    - '*'
      name: https
      number: 443
      protocol: HTTPS
      mode: SIMPLE
      credentialName: userauth-tls-cert
# This ensures the OIDC endpoint has at least some route defined.
kind: VirtualService
  name: userauth-oidc
  namespace: asm-user-auth
  - userauth
  - '*'
  - match:
    - uri:
        prefix: /status
    - uri:
        prefix: "your-oidc-redirect-path"
    name: user-auth-route
    - destination:
        host: authservice
          number: 10004
  1. Label default namespace to enable istio-proxy auto injection for deployments.

    kubectl label namespace default --overwrite
  2. Deploy httpbin to default namespace.

    kubectl apply -f -n default
  3. Update httpbin to use this gateway to serve HTTPS traffic, and use port forwarding to access the application locally:

    kubectl apply -f./samples/httpbin-route.yaml -n default
    kubectl port-forward service/istio-ingressgateway 8443:443 -n asm-user-auth

    The ingress gateway on port 8443 will be forwarded to localhost to make the application accessible locally.

Verify user authentication

The httpbin serves two paths, /ip is publicly accessible and /headers requires the end user to login via their configured IDP.

  1. Verify that you are able to access /ip directly by visiting https://localhost:8443/ip.

  2. Verify that you see the OIDC login page by visiting https://localhost:8443/headers.

  3. After you login, click Next and verify that it redirects you to the /headers page.

Configure authorization policies

After you finish the configuration in the previous steps, each user will be redirected through a web-based authentication flow. When the flow completes, the authservice will generate an RCToken in JWT format, which it uses to transmit the authenticated user information.

  1. Add Istio authorization policies at the ingress to ensure that an authorization check occurs for each authenticated user:

    kubectl apply -f ./samples/httpbin-authz.yaml -n asm-user-auth
  2. The httpbin-authz.yaml file configures the ingress gateway to validate the RC token issued by authservice, and only authorize when the JWT contains the desired fields, such as audiences and issuers.

    See the following example authorization policy:

    kind: AuthorizationPolicy
      name: require-rc-token
          istio: ingressgateway
      action: ALLOW
      - to:
        - operation:
            paths: ["/ip"]
      - to:
        - key:[iss]
          - authservice.asm-user-auth.svc.cluster.local
        - key:[aud]
          - test_audience
        - key:[sub]
          - allowed_user_sub_1  # Change this with the "sub" claim in the RC token. Wildcard '*' will match everything.

Configure environment-specific settings

The previous steps use localhost and a self-signed HTTPS certificate for quick setup. For real production use, use your own domain, such as

In addition, ensure the certificateAuthorityData has the intended root cert content. For example, if the IDP is trusted with system's root certs, you can leave it empty. If there is a HTTPS proxy terminating the HTTPS connection, it should be set to the proxy's root cert.

Manage and rotate keys

There are two sets of keys used by authservice. You can rotate each key independently. However, before you rotate the keys, it is important to understand how the rotation works.

Both keys are in JSON format. The useAfter field specifies the timestamp since when the key will be considered to use. During a key rotation, you should include both old and new keys in the JSON. For example, in the following example, new-key will only be used after timestamp 1712813735.

         "K":"...", # k contains a Base64 encoded PEM format RSA signing key.
         "useAfter": 1612813735, # unix timestamp
         "K":"...", # k contains a Base64 encoded PEM format RSA signing key.
         "useAfter": 1712813735, # unix timestamp

Anthos Service Mesh uses the symmetric key for encrypting session data that is stored in browser cookies. To ensure validity of existing sessions, authservice attempts decryption with all keys in the key set. On rotation, the authservice will use the new key for encrypting new sessions, and will continue to attempt decryption with the old keys.

The public/private key pair is used to sign RCToken. The public key is transmitted to the sidecars by istiod for JWT verification. It is crucial for sidecars to receive the new public key before authservice starts using the new private key to sign the RCToken. To that end, authservice starts publishing the public key immediately after the key is added, but waits a significant amount of time before starting to use that to sign RCToken.

To summarize, when performing key rotations we recommend:

  1. Perform regular key rotations or on demand as you need.
  2. In the JSON format, include both the current and the new keys. The new keys should be associated with a timestamp in the future. We recommend that you specify a timestamp at least a couple of hours ahead of the current time.
  3. Monitor and confirm that the services are still healthy after the new key is in use. Wait at least one day after the new key is being used before moving to next step.
  4. Remove the old keys from the JSON entries. They are no longer needed.

User authentication configuration details

The following table describes each field in the CRD:

Field name Description
authentication.oidc This section holds the OIDC endpoint configuration and the parameters used in OIDC flow.
authentication.oidc.certificateAuthorityData This is the SSL root certificate of the domain of the OIDC authorization server or HTTPS proxy if there is any.
authentication.oidc.oauthCredentialsSecret Secret references to the Kubernetes Opaque type secret which contains OAuth2 OIDC client_id and client_secret in JSON payload.
authentication.oidc.issuerURI The URI to use as the issuer in the output RCToken.
authentication.oidc.proxy Proxy server to the OIDC IDP, if applicable. With format http://user:password@
authentication.oidc.redirectURIHost The host to be used for OAuth termination URI. If you leave this empty, the host from the target URL will be used and the redirect URI will be assembled dynamically.
This value can be used when a user auth SSO session is desired at a higher level domain. For example, to enable SSO between and, this value can be set to It will enable a user auth session to be established at that'll be shared amongst all subdomains. Note: If multiple domains are served from the same mesh, and, the feature cannot be used, and is recommended to be left empty.
authentication.oidc.redirectURIPath The endpoint path where authservice will terminate the OAuth flow. You should register this URI path plus the host as an authorized redirect URI in the authorization server for the authentication.oidc.clientID.
In addition, this URI should be served from the same service mesh and ingress where authservice is enabled.
authentication.oidc.scopes The OAuth scope that should be requested in the authentication request. Comma-separated list of identifiers used to specify what access privileges are being requested in addition to "openid" scope, eg. "groups,allatclaim".
authentication.oidc.groupsClaim If the idtoken contains a groups claim, use this field to indicate its name. If specified, the service will pass on the data in this claim into the groups claim in the output RCToken. This claim should contain a comma-separated list of strings, eg. ["group1", "group2"].
authentication.outputJWTAudience The audience of the RCToken generated by authservice. The sidecars can validate the incoming RCToken against this audience value.

User Auth upgrades

  1. Install the user-auth packages again as it contains the updated binary for new user-auth version:

    kpt pkg get .
    cd asm-user-auth/
  2. Save your OIDC client configuration:

  3. Deploy the user authentication service to upgrade to a new version.

Multi Cluster Deployment

Anthos Service Mesh User Auth supports multi cluster deployment. You need to deploy user auth in each cluster as described above. The user auth configuration such as UserAuth custom resource, OIDC client secret, encryption keys, all need to be replicated in each clusters.

By default ingress gateway will load balance the authentication requests to any one of authservice instances. You can use destination rule to configure the ingress gateway to send requests to the authservice in the same cluster, and only fail over to other clusters' authservice.

kind: DestinationRule
  name: authservice-fail-over
  namespace: asm-user-auth
  host: authservice.asm-user-auth.svc.cluster.local
        enabled: true
        - from:  us-east
          to: us-west
        - from: us-west
          to: us-east

Same as other configuration, this needs to be configured in each cluster.


  1. Network accessibility to IDP.

    Possible log: error: TLS handshake failed..

    Verify by executing curl from the istio-proxy container to IDP issuer URI. If not able to connect, user could check the firewall rules or other network configurations for the cluster.

  2. Root CA certificate.

    Possible log: error: The server's TLS certificate did not match expectations. or error: TLS handshake failed..

    Make sure the certificateAuthorityData holds the correct root CA certificate. When there is no HTTPS proxy terminating HTTPS traffic, this should hold the root CA certificate for the IDP. If there is one, this should hold the proxy's instead.

  3. Redirect path configuration.

    Possible observation: receive 404 error page during OIDC authentication flow.

    User Auth returns the "Set-Cookie" header without using the path attribute, which by default the browser uses the directory of the request url as the cookie path (scope of the cookie related to path). So we recommend to not include "/" in the redirect path unless you are intended.


  1. How do I upgrade Anthos Service Mesh with User Auth enabled?

    Follow the Anthos Service Mesh upgrade process and specify the overlay file by adding --custom_overlay user-auth-overlay.yaml on the command line to asmcli install.

  2. How much resources should we provision for the authservice? And how many requests per second can it handle?

    By default, authservice is configured with 2.0 vCPU, 256Mi memory. Under such configuration, authservice is able to handle 500 requests per second. To handle larger amounts of requests, you should provision more CPU, which is roughly proportionally to its requests handling capacity. You can also configure multiple replicas of the authservice to increase the horizontal scalability.