search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.08k stars 437 forks source link

HTTP passthrough: forward the original request path and query params #5517

Open bcollard opened 2 years ago

bcollard commented 2 years ago

Is your feature request related to a problem? Please describe. Given an external authorization service, called by the extauth passthrough system over HTTP When the (external) authorization logic is based on the original path Then the external authZ controller expects to receive the original :path header but the ExtAuth service was not designed this way. Depending on your setup, you can either:

In both cases, the original path and query params will not be passed to the remote HTTP authZ service.

Describe the solution you'd like An option to pass the original path and the original query params.

Describe alternatives you've considered Capturing the original :path pseudo-header in an early transformation and passing this info as a new header to the extauth HTTP service. This implies some code changes in the external authZ service to then read that new header.

Additional context Gloo EE v1.9.2

saiskee commented 2 years ago

The client has tried to passthrough the :path header by using the following http passthrough configuration:

allowedHeaders:
  - ":path"

however, ext-auth-service returns back 403s, when he does this. If we are able to figure out the root cause of the client's 403s with this config, then this could be a solution.

yakketyyak commented 1 year ago

Today, the only solution is to capture the original :path pseudo-header in an early transformation and passing this info as a new header to the extauth HTTP service as described bcollard.

A simple transformation could be:

 ...
    options:
        ...
          stagedTransformations:
             early: # before extauth
               requestTransforms:
                 - requestTransformation:
                      transformationTemplate:
                        headers:
                          x-envoy-original-path:
                            text: '{{ header(":path") }}'

The drawback is that you need to add this transformation to all routes that are use the auth config. So if you want to migrate from gRPC to HTTP, all route tables must be updated.

github-actions[bot] commented 4 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.