Add external authorization via http request#830
Conversation
This is similar to Envoys external authorization[0], and can be used for example in combination with Ory Oathkeeper. [0] https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto
a55de9d to
04f958c
Compare
|
👍 for this PR! Maybe a future refinement would be to use service-discovery to discover the endpoint by service name? But I'd take this as is now to get the ball rolling, have the same use-case in mind. |
nathanejohnson
left a comment
There was a problem hiding this comment.
Overall I think this will be a great feature, just have a few tweaks before it can be merged. Sorry this has taken so long to get back to.
| } | ||
|
|
||
| func (b *external) Authorized(request *http.Request, response http.ResponseWriter) AuthDecision { | ||
| client := &http.Client{CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }} |
There was a problem hiding this comment.
This client should specify a timeout at least, and possibly a transport too depending on whether tls configurations would need to be overridden. Also, it would be much better to store this client inside the external struct instead of recreating it each time.
| log.Println("[ERROR] External request error:", err.Error()) | ||
| return unauthorized() | ||
| } | ||
|
|
There was a problem hiding this comment.
resp.Body is never drained or closed. if err is nil, body needs to be dealt with.
| SetAuthHeaders: strings.Split(cfg["set-auth-headers"], ","), | ||
| } | ||
|
|
||
| if strings.HasSuffix(a.External.Endpoint, "/") { |
There was a problem hiding this comment.
Curious to the reasoning for this restriction?
This is similar to Envoys external authorization, and can be used for example in combination with Ory Oathkeeper.