Skip to content

Add external authorization via http request#830

Open
pingiun wants to merge 1 commit into
fabiolb:masterfrom
pingiun:add-external-auth
Open

Add external authorization via http request#830
pingiun wants to merge 1 commit into
fabiolb:masterfrom
pingiun:add-external-auth

Conversation

@pingiun

@pingiun pingiun commented May 15, 2021

Copy link
Copy Markdown

This is similar to Envoys external authorization, and can be used for example in combination with Ory Oathkeeper.

This is similar to Envoys external authorization[0], and can be used for
example in combination with Ory Oathkeeper.

[0] https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto
@nathanejohnson nathanejohnson force-pushed the master branch 2 times, most recently from a55de9d to 04f958c Compare April 11, 2022 18:45
@nathanejohnson nathanejohnson self-requested a review July 15, 2022 01:14
@nathanejohnson nathanejohnson added this to the 1.6.2 milestone Jul 15, 2022
@wfaler

wfaler commented Aug 30, 2022

Copy link
Copy Markdown

👍 for this PR!

Maybe a future refinement would be to use service-discovery to discover the endpoint by service name? But I'd take this as is now to get the ball rolling, have the same use-case in mind.

@nathanejohnson nathanejohnson modified the milestones: 1.6.2, 1.6.3 Sep 13, 2022

@nathanejohnson nathanejohnson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall I think this will be a great feature, just have a few tweaks before it can be merged. Sorry this has taken so long to get back to.

Comment thread auth/external.go
}

func (b *external) Authorized(request *http.Request, response http.ResponseWriter) AuthDecision {
client := &http.Client{CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }}

@nathanejohnson nathanejohnson Nov 17, 2022

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This client should specify a timeout at least, and possibly a transport too depending on whether tls configurations would need to be overridden. Also, it would be much better to store this client inside the external struct instead of recreating it each time.

Comment thread auth/external.go
log.Println("[ERROR] External request error:", err.Error())
return unauthorized()
}

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

resp.Body is never drained or closed. if err is nil, body needs to be dealt with.

Comment thread config/load.go
SetAuthHeaders: strings.Split(cfg["set-auth-headers"], ","),
}

if strings.HasSuffix(a.External.Endpoint, "/") {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious to the reasoning for this restriction?

@nathanejohnson nathanejohnson removed this from the 1.6.3 milestone Nov 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants