Closed incfly closed 2 years ago
Removing support for allowing requests based on an id token would be fine with me. It was never documented. It's presence weakens the security that #140 could provide.
If users use Istio, the following policy can be used to retain the previous behavior (untested). Additional RequestAuthentication and AuthorizationPolicies can be used to validate the credential.
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ext-authz
spec:
action: CUSTOM
provider:
name: authservice
rules:
- when:
- key: request.headers[Authorization]
notValues: ["Bearer *"]
As discussed in https://github.com/istio-ecosystem/authservice/pull/187/files#r737769246, current implementation checks both
The intention for the project, in my understanding is for the human flow. Therefore we can assume there's always a browser & session involved here. So the second flow can be removed for simplification.