Code Monkey home page Code Monkey logo

authorization-proxy's Introduction

Authorization Proxy

License: Apache GitHub release (latest by date) Docker Image Version (tag latest) Go Report Card GoDoc Contributor Covenant

logo

What is Authorization Proxy

Authorization Proxy is an implementation of Kubernetes sidecar container to provide a common interface for API endpoint authentication and authorization. It caches the policies from Athenz, and provides a reverse proxy interface to control access on specific URL endpoints.

Client request can be authenticated and authorized by:

  1. OAuth2 access token
  2. Role token in the HTTP/HTTPS request header
  3. Role certificate on mTLS

Requires go 1.19 or later.

Use case

Authorization and Authorization request

Authorization Proxy acts as a reverse proxy sitting in front of the server application. When the client request for specific URL endpoint of the server application, the request comes to authorization proxy first.

Athenz authorizer

To authenticate the request, the authorization proxy should know which client identity (role) can take an action on which URL endpoint, therefore the Athenz authorizer is introduced.

Athenz authorizer

The Athenz authorizer periodically updates the access token JWK, role token public key, and Athenz policy data from the Athenz Server. It decodes and validates the policy data. The decoded policy will store in the memory cache inside the Athenz authorizer for later authorization checks. The Athenz authorizer also helps to extract client credentials from the HTTP/HTTPS request header.

Authorization success

Auth success

The authorization proxy will call the Athenz authorizer and check if the client can take an action to a specific URL endpoint. If the client is allowed to take an action the URL endpoint, the request will then be forwarded to the server application with authorization information.(HTTP request headers)

Authorization failed

Auth fail

The authorization proxy will return 401 Unauthorized to the client whenever the client credentials are missing/invalid, or the client identity (role) presented in the client credentials has no privilege to take the specific action on the specific URL endpoints.


Mapping rules

The mapping rules describe the elements used in the authorization proxy. You can configure which Athenz domains are effective in the Authorization Proxy, and design your own sets of Athenz policies to control client access on the server application's endpoints.

The mapping rules are described as below.

Concept Description Map to (Athenz) Example
Client Identity Client Identity presented in the client credentials Role access token scope
Action HTTP/HTTPS request method Action POST
Resource HTTP/HTTPS request URL path, supports wildcard Resource /api/*

โš ๏ธ All the HTTP/HTTPS methods and URI paths are normalized to lower case.

HTTP request headers

When a request is authorized by the authorization proxy, the following HTTP headers is added in the request.

HTTP Header Name Description Example
X-Athenz-Principal Authorized principal principal
X-Athenz-Role Authorized role (A comma-separated string if there is more than one) role1,role2,role3
X-Athenz-Domain Authorized domain domain
X-Athenz-Client-ID Authorized client ID client-id
X-Athenz-Issued-At Unix timestamp in second that the authorized identity was issued 1596158946
X-Athenz-Expires-At Unix timestamp in second that the authorized identity expires 1596158953

Features to Debug

Configuration

The example configuration file is here. For detail explanation, please read config.go.


Contributor License Agreement

This project requires contributors to agree to a Contributor License Agreement (CLA).

Note that only for contributions to the authorization-proxy repository on the GitHub, the contributors of them shall be deemed to have agreed to the CLA without individual written agreements.

About releases

  • Releases
    • GitHub release (latest by date)
    • Docker Image Version (tag latest)

authorization-proxy's People

Contributors

ctyano avatar kevindiu avatar kpango avatar kyfujisa avatar ssunorz avatar t4niwa avatar takuyamatsu avatar windzcuhk avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.