This enables a separation of concerns, decoupling the proxy from ingress related responsibilities. It also allows for one louketo-proxy to be used to protect multiple upstream services.
I think that the upstream URI upstream-url needs to be set as optional in forward-auth mode, as it is not required for the forward auth use case.
I am not clear on what else needs to change to make this compatible.
Acceptance criteria
Using Louketo proxy along with Traefik or Envoy in forward auth mode works as expected (authenticating requests).
One proxy should be able to handle requests for multiple services, aka, an instance is not required for each upstream service being protected.
The process of using forward auth with louketo-proxy should be well documented, preferably with a simple docker-compose example to help users with the initial configuration.
Support for Forward Auth
Summary
Based on the comment from https://github.com/louketo/louketo-proxy/pull/501, this is a new issue to discuss the capability of forward-auth within Louketo-proxy.
As far as I understand, Louketo proxy partially supports forward auth already, there are multiple related issues and PRs which are related to it: https://github.com/louketo/louketo-proxy/issues/399 https://github.com/louketo/louketo-proxy/pull/501 https://github.com/louketo/louketo-proxy/pull/505 https://github.com/louketo/louketo-proxy/issues/658 which suggests that multiple users have tried it with mixed results.
Forward auth docs from popular ingresses: https://docs.traefik.io/middlewares/forwardauth/ https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto
Why?
This enables a separation of concerns, decoupling the proxy from ingress related responsibilities. It also allows for one louketo-proxy to be used to protect multiple upstream services.
This feature is available and is documented in other popular proxies: https://www.pomerium.io/configuration/#forward-auth https://github.com/thomseddon/traefik-forward-auth
How
I think that the upstream URI upstream-url needs to be set as optional in forward-auth mode, as it is not required for the forward auth use case.
I am not clear on what else needs to change to make this compatible.
Acceptance criteria
Using Louketo proxy along with Traefik or Envoy in forward auth mode works as expected (authenticating requests).
One proxy should be able to handle requests for multiple services, aka, an instance is not required for each upstream service being protected.
The process of using forward auth with louketo-proxy should be well documented, preferably with a simple docker-compose example to help users with the initial configuration.