Skip to content

Invert catch-all behavior for auth gateway#693

Merged
awhdesmond merged 2 commits into
mainfrom
awhdesmond/auth-gateway-deny-by-default
Jun 3, 2026
Merged

Invert catch-all behavior for auth gateway#693
awhdesmond merged 2 commits into
mainfrom
awhdesmond/auth-gateway-deny-by-default

Conversation

@awhdesmond
Copy link
Copy Markdown
Contributor

@awhdesmond awhdesmond commented Jun 2, 2026

Invert catch-all behavior in auth gateway to return HTTP 403 Forbidden by default.

csieber
csieber approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@csieber csieber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks!

Tobias-Pe
Tobias-Pe approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Tobias-Pe Tobias-Pe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Tobias-Pe
Tobias-Pe requested changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Tobias-Pe Tobias-Pe left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So which code should we return bc as you stated @awhdesmond the 403 will create a signin redirect.

404 doesn't seem as a bad option (first thought)

@awhdesmond
Copy link
Copy Markdown
Contributor Author

awhdesmond commented Jun 2, 2026
edited
Loading

So which code should we return bc as you stated @awhdesmond the 403 will create a signin redirect.

404 doesn't seem as a bad option (first thought)

What about catchall service return an unsued HTTP 4xx, gets intercepted by EnvoyFilter which then converts it back to HTTP 403?

@csieber
Copy link
Copy Markdown
Contributor

csieber commented Jun 2, 2026

What about catchall service return an unsued HTTP 4xx, gets intercepted by EnvoyFilter which then converts it back to HTTP 403?

I am in favor of the 404 because that feels like something a server should return if the path is not registered.

@Tobias-Pe
Copy link
Copy Markdown
Contributor

Tobias-Pe commented Jun 2, 2026

What about catchall service return an unsued HTTP 4xx, gets intercepted by EnvoyFilter which then converts it back to HTTP 403?

I am in favor of the 404 because that feels like something a server should return if the path is not registered.

This would also help keep things straightforward.

The envoyfilter is a great option and very powerful but not as clear when it comes to trying to follow what is happening. So we should keep our filter usage minimal

Tobias-Pe
Tobias-Pe reviewed Jun 2, 2026
View reviewed changes
Comment thread src/app_charts/base/cloud/istio.yaml Outdated
@awhdesmond awhdesmond requested a review from Tobias-Pe June 3, 2026 07:45
Tobias-Pe
Tobias-Pe approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Tobias-Pe Tobias-Pe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you Desmond !

@awhdesmond awhdesmond merged commit f30710a into main Jun 3, 2026
7 checks passed
@awhdesmond awhdesmond deleted the awhdesmond/auth-gateway-deny-by-default branch June 3, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@csieber csieber csieber approved these changes

@Tobias-Pe Tobias-Pe Tobias-Pe approved these changes

@ensonic ensonic Awaiting requested review from ensonic

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@awhdesmond @csieber @Tobias-Pe