Closed werdes72 closed 2 weeks ago
Why do external authorizers have authentications and authorizations? Is it just for oauth2_proxy?
@pbochynski it was decided in previous specific to extAuth ADR that within we also allow to restrict access based on JWT (additional AP)
No more accessStrategy
field, we can use jwt
and extAuths
fields instead.
rules:
- path: test
extAuths:
- name: geoBlocking
jwt:
authentications:
- issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
authorizations:
- audiences: ["app1"]
rules:
- path: test
extAuths:
- name: oauth2-proxy
- name: geoBlocking
jwt:
authentications:
- issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
authorizations:
- audiences: ["app1"]
- path: headers
noAuth: true
rules:
- path: test
noAuth: true
- path: * # Should be warning user that it is not recommended, as it applies to all paths
extAuths:
- name: geoBlocking
- path: headers
jwt:
authentications:
- issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
authorizations:
- audiences: ["app1"]
- path: image
extAuths:
- name: oauth2-proxy
extAuth + noAuth - cannot be together jwt + noAuth - cannot be together
Proposal 3
No more
accessStrategy
field, we can usejwt
andextAuths
fields instead.Now it looks much better! :) Thanks.
APIRule
v1beta2
API ProposalDate: 2024-03-22
Status
Context
Due to the deprecation of Ory and the introduction of new features in API Gateway, the next version of APIRule resource needs to be defined.
Changes:
accessStrategies
field is replaced withextAuths
,jwt
andnoAuth
Spec:
*
.*
.Headers
andCookie
mutators are supported. For more information, see the documentation.noAuth
totrue
disables authorization.noAuth
is set to true, it is not allowed to definejwt
orextAuth
on the same path.The value must be a URL. Although HTTP is allowed, it is recommended that you use only HTTPS endpoints.
The value must be a URL. Although HTTP is allowed, it is recommended that you use only HTTPS endpoints.
Bearer
.Examples
Multiple hosts with external authorizers and jwt:
One host with JWT:
One host with
noAuth
:Istio mutators:
Multiple paths with different configurations: