Closed zjpiazza closed 3 years ago
/set title: Auth plugins do not receive a request body
I can confirm that the request body is not passed along by the OSS version of the gateway (just headers).
For context, you are trying to write your own version of the OpenFaaS PRO SSO / multi-tenant plugin, correct?
Alex
So the auth_pass_body environment has no effect on the OSS version of the gateway, am I understanding that correctly?
Whilst I feel conflicted about helping users to avoid paying for PRO products that support the project, I understand that you may not have budget where you are. I looked into it on Friday when you mentioned it on Slack and can confirm that's the case. If you are looking for ways to go multi-tenant, and have no budget then perhaps you could use ArgoCD or Flux, and then make Git implement your authz? That would be one way to avoid re-building what we offer to commercial users, and to still get your desired result without spending any money.
Here's a link for a Flux tutorial - https://www.openfaas.com/blog/openfaas-flux/ - alternatively, as I understand your company may be offering OpenFaaS to many users, why not set them up their own OpenFaaS cluster or installation? OpenFaaS can be installed many times in the same cluster at the cost of slightly more management and resource usage.
I will check that out. You may want to make it clear in the documentation that the 'auth_pass_body' environment variable has no effect unless you have pro features enabled: https://docs.openfaas.com/reference/authentication/#auth-plugins
Thanks for the feedback.
My actions before raising this issue
Expected Behaviour
Should be able to access gateway request context via auth plugin by enabling
auth_pass_body
environment variableCurrent Behaviour
When interacting with the OpenFaaS gateway I see the b64 encoded auth header passed to the "GET /validate" endpoint of my custom auth plugin but I do not see any details from the originating request. Here are the details I get access to via the headers from the gateway:
Steps to Reproduce (for bugs)
auth_proxy_url
environment variable using the following command:kubectl set env deployment.apps/gateway auth_proxy_url=http://custom-auth-service.openfaas:8080/validate -n openfaas
auth_pass_body
environment variable using the following command:kubectl set env deployment.apps/gateway auth_pass_body=true -n openfaas
Context
I'm unclear what exactly the intended behavior of the environment variable "auth_pass_body" should be. There is only one sentence that I found in the documentation "whether to pass the body of the request to the auth module, the default value is false" I assume this should pass the original request along to the auth module but if that is not the case, please let me know.
Your Environment
FaaS-CLI version: commit: 6e1d4848011947714ecd76ce006d12fb63fdda85 version: 0.13.8
Docker version: 20.10.2
Are you using OpenFaaS on Kubernetes or faasd? Kubernetes
Operating System and version: Windows 10 19041.804