[Auth flow] Is the flow executed also for public endpoints?

[silversoul93]

What product are you having troubles with?

Console

What Console version are you using?

v12.1.0

Description

Hi guys,
we have a client using the Mia-Platform Console that has a project (let's say Prj-Main) containing the following auth flow:

api-gateway → authorization-service → auth0-client → Auth0.

The auth flow is pretty straightforward.
Despite that, all the Endpoints they have are publicly accessible:

• NO "Authentication required";
• NO "API Key required";
• NO filter on "User Groups Permissions";
  because they implemented the auth verification on another project (let's say Prj-Gateway) and they use the auth flow of the project Prj-Main only for a few internal requests (back-office flows).

Despite the endpoints being public, is possible the auth flow is always executed?
We noticed that the auth0-client logs, more or less, 5k/6k of error logs per minute, all errors related to the absence of the token into the Redis cache or similar, because the auth verification is done by Prj-Gateway.

This causes a lot of "dirty logs", additional traffic and latency through the auth0-client of Prj-Main that is useless.

Is there a way to disable the verification to the "Authentication Manager" (auth0-client in this case) for the publicly accessible endpoints?

Thanks.

Actual Outcome

Lot of useless requests and logs to the Authentication Manager.

Expected Outcome

The Authentication Manager takes a break :D

[fredmaggiowski]

Hi, the authorization flow is always performed, the reason being the decision about whether the api is public or not is ownership of the authorization service.

If you wish to skip the session verification (which causes the hop between authorization service and your authentication manager) you could yse the Trust Mia headers feature of the authorization service

[peppemanzi]

Hi, @silversoul93! I’m not sure if it is what you need for your use case, but maybe you can use trust Mia Headers mode for the authorization service https://docs.mia-platform.eu/docs/runtime_suite/authorization-service/usage#trust-mia-platform-user-headers

[silversoul93]

Hi @peppemanzi, thanks for your reply ( 🥲 ).
I don't think your proposal would fit for our problem because a lot of requests don't have a token inside (but I'll check to be sure).