search

arrikto / oidc-authservice

This is a fork/refactoring of the ajmyyra/ambassador-auth-oidc project
MIT License
87 stars 66 forks source link

Reorder the authentication methods #90

Closed athamark closed 2 years ago

athamark commented 2 years ago

Reorder the authenticators

After embracing the AuthService Caching Mechanism effort (https://github.com/arrikto/oidc-authservice/pull/87), we suggest reordering the authentication methods that AuthService is using. The only authentication method that benefits from the caching mechanism is the authenticator_kubernetes.go. This means that the authentication of a Kubernetes-provided token will have to wait until AuthService tries-and-fails for both the Session authentication method and the ID Token authentication method. Since the caching mechanism can really reduce the authentication overhead and boost the performance, it would make sense for AuthService to try out the Kubernetes authentication method first.

Description of your changes: The current order of the authentication methods that AuthService is following is:

i. Session Authenticator ii. ID Token Authenticator iii. JWT Access Token Authenticator iv. Kubernetes Authenticator

We want to change this to:

i. Kubernetes Authenticator ii. JWT Access Token Authenticator iii. Session Authenticator iv. ID Token Authenticator