Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: forward basic auth user #3312

Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

feat: forward basic auth user #3312

wants to merge 6 commits into from
+77 −13

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Apr 30, 2024
edited

This PR extracts username from the HTTP authorization header and add it to a custom header, providing a user identity that can be directly used in the Authorization Policy and by other filters or backends.

      basicAuth:
        users:
          name: "users-secret1"
        forwardUsernameHeader: x-basic-auth-user

Fix: #2947
Related: #2250 #2652

@zhaohuabing zhaohuabing requested a review from a team as a code owner April 30, 2024 18:16
@zhaohuabing zhaohuabing force-pushed the forward_basic_auth_username_header branch 3 times, most recently from c66e1dd to 187dec0 Compare April 30, 2024 21:56
@zhaohuabing
forward basic auth user
bf20d0c 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the forward_basic_auth_username_header branch from 187dec0 to bf20d0c Compare May 1, 2024 01:56
@arkodg
Copy link
Contributor

arkodg commented May 1, 2024

thoughts on userNameToHeader similar to the existing claimToHeader field in jwt ?

@zhaohuabing zhaohuabing marked this pull request as draft May 1, 2024 18:06
@zhaohuabing zhaohuabing marked this pull request as ready for review May 1, 2024 18:16
@zhaohuabing
fix test
f8017db 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing
address comments
4324772 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing
Merge branch 'main' into forward_basic_auth_username_header
37ac261
@zhaohuabing
minor change
b97dcb6 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing
add comment to explain UserNameToHeader is a global setting for all r…
3b13c3a 
…oute in a Gateway

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
zhaohuabing
zhaohuabing commented May 1, 2024
View reviewed changes
api/v1alpha1/basic_auth_types.go
@@ -24,4 +27,10 @@ type BasicAuth struct {
//
// Note: The secret must be in the same namespace as the SecurityPolicy.
Users gwapiv1b1.SecretObjectReference `json:"users"`

// The name of the HTTP header that will be used to forward the username to the upstream server.
// Please note that the header name is a global setting for all the routes in a Gateway.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UserNameToHeader can also be per route, but will need some upstream work.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imo we should wait until per route support is added, else a per route setting will enable this at the global level

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, let's wait for the upstream.

@zhaohuabing zhaohuabing marked this pull request as draft May 1, 2024 20:09
@zhaohuabing zhaohuabing mentioned this pull request May 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arkodg arkodg arkodg left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/policy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Extract username from basic auth and forward it to backends
2 participants
@zhaohuabing @arkodg