Open dadrus opened 2 weeks ago
I would like to be able to achieve the same functionality with vouch as described in this guide: https://dadrus.github.io/heimdall/dev/guides/authn/oidc_first_party_auth/
@bnfinet: Please excuse me for the noise. Is there any chance to discuss this fr with you? I can contribute a PR for that, would however like to hear your thoughts on that. Thank you very much in advance.
I'm the maintainer of heimdall, an identity aware proxy, which is able to orchestrate different authentication and authorization solutions and act on its own or be integrated in any proxy (ngnix, traefik, envoy, and many more). While heimdall supports OAuth2 and OIDC, it doesn't drive any of the authorization flows (by intention). Support of OIDC for 1st party context can be added by integrating heimdall with a service, which can drive the authorization code grant flow similar how traefik or ngnix traefik or ngnix triggers vouch to to that. The difference is that there is a need for an endpoint which can provide information about the authenticated user in the response body from which heimdall can extract the relevant information. Unfortunately, unlike other similar proxies (lua-resty-openidc, or oauth2-proxy), vouch proxy does not have such an endpoint. It would be awesome, if it would exist and provide information from the id token as well as how long the session managed by vouch is valid. This way heimdall can be configured to reduce the amount of session validation calls.
If you are afraid that there might be too much information exposed, heimdall can shield the access to the anything exposed by vouch on it's own.
It might be even an ideal partner to allow easy configuration of public and private endpoints of the upstream services.
Looking forward hearing your thoughts on that.