-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ADR] API proposal for APIRule v1beta2 #977
Comments
Why do external authorizers have authentications and authorizations? Is it just for oauth2_proxy? |
@pbochynski it was decided in previous specific to extAuth ADR that within we also allow to restrict access based on JWT (additional AP) |
Proposal 3No more rules:
- path: test
extAuths:
- name: geoBlocking
jwt:
authentications:
- issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
authorizations:
- audiences: ["app1"] rules:
- path: test
extAuths:
- name: oauth2-proxy
- name: geoBlocking
jwt:
authentications:
- issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
authorizations:
- audiences: ["app1"]
- path: headers
noAuth: true rules:
- path: test
noAuth: true
- path: * # Should be warning user that it is not recommended, as it applies to all paths
extAuths:
- name: geoBlocking
- path: headers
jwt:
authentications:
- issuer: https://example.com
jwksUri: https://example.com/.well-known/jwks.json
authorizations:
- audiences: ["app1"]
- path: image
extAuths:
- name: oauth2-proxy extAuth + noAuth - cannot be together |
Now it looks much better! :) |
APIRule
v1beta2
API ProposalDate: 2024-03-22
Status
Context
Due to the deprecation of Ory and the introduction of new features in API Gateway, the next version of APIRule resource needs to be defined.
Changes:
accessStrategies
field is replaced withextAuths
,jwt
andnoAuth
Spec:
*
.If no timeout is specified, the default timeout of 180 seconds applies.
*
.Headers
andCookie
mutators are supported. For more information, see the documentation.noAuth
totrue
disables authorization.noAuth
is set to true, it is not allowed to definejwt
orextAuth
on the same path.The value must be a URL. Although HTTP is allowed, it is recommended that you use only HTTPS endpoints.
The value must be a URL. Although HTTP is allowed, it is recommended that you use only HTTPS endpoints.
Bearer
.Examples
noAuth
:The text was updated successfully, but these errors were encountered: