Validate group claims for Authservice applications with Istio

[rjferguson21]

When users today leverage the sso.groups field to ensure only authorized users can access their application the enforcement is done via a Keycloak plugin during authentication.

An extension of this functionality which would further our defense in depth would be to leverage Istio AuthorizationPolicy to validate the groups claim contains a matching group as well. As part of the existing authservice logic, we create an AuthorizationPolicy that ensures the issuer was Keycloak. We could leverage this existing policy and add an an additional component to the rule that would result in a policy like this:

apiVersion: security.istio.io/v1
kind: AuthorizationPolicy
metadata:
  labels:
    uds/package: httpbin-other
  name: uds-core-httpbin-jwt-authz
  namespace: authservice-test-app
spec:
  rules:
  - from:
    - source:
        requestPrincipals:
        - https://sso.uds.dev/realms/uds/*
    when:
    - key: request.auth.claims[groups]
      values:
      - /UDS Core/Developer
  selector:
    matchLabels:
      app: httpbin