Enhancement Proposal: Authentication Filter

[shaun-nx]

Proposed changes

Status set to Implementable after merging #4136

This document proposes a solution for enabling Authentication use cases through NGINX Gateway Fabric.

Closes #4052

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.11%. Comparing base (d9846a4) to head (bf3ed2b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4235      +/-   ##
==========================================
+ Coverage   86.08%   86.11%   +0.03%     
==========================================
  Files         132      132              
  Lines       14342    14342              
  Branches       35       35              
==========================================
+ Hits        12346    12351       +5     
+ Misses       1791     1789       -2     
+ Partials      205      202       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[salonichf5]

we should specify the nginx modules these constants associate with

[shaun-nx]

Do you mean we should add a comment or rename the constants to reflect the module?

[salonichf5]

No the nginx module should be added as reference in the comment

// NGINX module: https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

[salonichf5]

why does it have to be in the same namespace? we can always resolve the secret in different namespace, unless there is another limitation assumed?

[sjberman]

Can we follow the ReferenceGrant pattern for accessing Secrets in another namespace?

[shaun-nx]

This comment was mostly to reflect security constraints. I noticed I didn't make note of it elsewhere in the proposal though. Mainly, we want to make sure that the AuthenticaitonFilter can only reference secrets in the same namespace by default, and like @sjberman said we can support integration with ReferenceGrant to support cross-namespace where needed.

I'll add a section to the proposal to cover that.

[shaun-nx]

@sjberman @salonichf5 The Security Considerations section should be updated now to talk about namespace isolation as well as cross-namespace support with ReferenceGrant

[ciarams87]

Can we remove or amend this comment to reflect this?

[sjberman]

The spec should use the Gateway API's ObjectReference type instead of two separate Secret and SecretRef fields.

[shaun-nx]

@ciarams87 I'll amend the comment around this.

[shaun-nx]

@sjberman good catch. The BasicAuth spec should just have a secretRef field so that it can work with reference grants.

[salonichf5]

I think he meant using the secretRef type as SecretObjectReference

[salonichf5]

same comment as below for specifying defaults and enum

[shaun-nx]

As I think about it, it might not make sense for something like this to have a default. Users should probably be very explicit about which mode they want to set. What do you think?

[salonichf5]

like 1: is for most frequently used?

[shaun-nx]

This specifies the directory depth of the cache file. In the case where you have a proxy_cache_path configuration like this:

proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;

The file names in a cache will look like this: /data/nginx/cache/c/29/b7f54b2df7773722d382f4809d65029c

From the docs:

The levels parameter defines hierarchy levels of a cache: from 1 to 3, each level accepts values 1 or 2. 

[salonichf5]

set defaults using kubebuilder: default

[sjberman]

If this is an optional field though, it shouldn't have a default.

[salonichf5]

did not see this as a rule at API level, we will allow this at API spec level?

[shaun-nx]

We could likely add it at a CEL validation level. What are your thoughts? I've typically seen these kind of things handled by controller level validation, but it feels like CEL validation would be better if we want to reject the resource.

[salonichf5]

yeah I think we can have CEL validation to allow 401 and 403 to simplify things in the later step

[ciarams87]

These are mostly focussed on typos I spotted while doing a first pass, I haven't fully absorbed the content yet

[ciarams87]

Suggested change

	This document focuses expliclty on Authentication (AuthN) and not Authorization (AuthZ). Authentication (AuthN) defines the verification of identiy. It asks the question, "Who are you?". This is different from Authorization (AuthZ), which preceeds Authentication. It asks the question, "What are you allowed to do".
	This document focuses explicitly on Authentication (AuthN) and not Authorization (AuthZ). Authentication (AuthN) defines the verification of identity. It asks the question, "Who are you?". This is different from Authorization (AuthZ), which preceeds Authentication. It asks the question, "What are you allowed to do".

[ciarams87]

Suggested change

	- As an Application Developer, I want to enforce authenticaiton on specific routes and matches.
	- As an Application Developer, I want to enforce authentication on specific routes and matches.

[ciarams87]

Suggested change

	This portioan also contains:
	This portion also contains:

[ciarams87]

Suggested change

	- Example HTTPRoutes and NINGX configuration
	- Example HTTPRoutes and NGINX configuration

[ciarams87]

Suggested change

	- Example NINGX configuration for both Local & Remote JWKS
	- Example NGINX configuration for both Local & Remote JWKS

[ciarams87]

Suggested change

	Users sholud be advised to regularly rotate their JWKS keys in cases where they chose to reference a local JWKS via a `secrefRef` or `configMapRef`
	Users should be advised to regularly rotate their JWKS keys in cases where they chose to reference a local JWKS via a `secrefRef` or `configMapRef`

[ciarams87]

Suggested change

	We may choose to include these headers by default for improved robustness in auth falure responses.
	We may choose to include these headers by default for improved robustness in auth failure responses.

[ciarams87]

I had to look this up, I had never seen it before. It's been superseded by Cache-Control, I don't think we would need it, it's legacy from HTTP/1.0

[ciarams87]

Suggested change

	Our decision to go forward with our own `AuthenticationFilter` was to ensure we could quckly provide authenticaiton to our users while allowing us to closley monitor progress of the ExternalAuthFilter.
	Our decision to go forward with our own `AuthenticationFilter` was to ensure we could quickly provide authentication to our users while allowing us to closely monitor progress of the ExternalAuthFilter.

[sjberman]

To be clear, this proposed AuthenticationFilter is to supply different auth methods than provided in the ExternalAuth filter, and is technically unrelated.

[shaun-nx]

@sjberman that's not entirely true. If we went forward with ExternalAuth filter, we could build out an external auth service that uses NGINX. It wouldn't prevent us from supplying those auth methods.

[sjberman]

But that is unrelated to this AuthenticationFilter. This filter is to configure our NGINX data plane to perform native auth, without the need for an external entity. The ExternalAuthFilter is for just using an external entity for auth, whatever that entity may be (it wouldn't be our direct NGINX data plane, but it could be an external NGINX instance).

These are two different solutions for implementing auth for the user, and are not technically related to each other. I only mention this because this sentence in the doc implies that this Filter is being implemented as a workaround to the ExternalAuth filter, but it's really not, it's a different auth solution. Just being pedantic.

[ciarams87]

Suggested change

	In regards to documentation of filter behavour with the `AuthenticationFilter`, the Gateway API documentation on filters states the following:
	In regards to documentation of filter behaviour with the `AuthenticationFilter`, the Gateway API documentation on filters states the following:

[sjberman]

I'll do a more thorough review once I'm back online full time.

[sjberman]

The spec should use the Gateway API's ObjectReference type instead of two separate Secret and SecretRef fields.

[sjberman]

Can you use an Enum on an integer instead of CEL? I haven't tried this, maybe it only works for strings.

[shaun-nx]

Not sure. I'll see if it's possible though.

[salonichf5]

i think you should be able to since they resolve as strings?

[sjberman]

This can use the Duration type that we have defined.

[shaun-nx]

Sounds good. Out of curiosity, why do we have our own Duration type?

[sjberman]

It allows us to perform validation on the format of it.

[sjberman]

This can use the Duration type that we have defined.

[sjberman]

Suggested change

	Filters must be attached to a HTTPRoute at the `rules.matces` level.
	Filters must be attached to a HTTPRoute at the `rules.matches` level.

[sjberman]

Suggested change

	- This header explicitly set the body as plan text. This prevents browsers from treating the response as HTML or JavaScript, and is effective at mitigating Cross-side scrpting (XSS) through error pages
	- This header explicitly set the body as plain text. This prevents browsers from treating the response as HTML or JavaScript, and is effective at mitigating Cross-side scrpting (XSS) through error pages

[sjberman]

Suggested change

	When referencing an `AuthenticationFilter` in either a HTTPRoute or GRPCRoute, it is important that we ensure all configurable fields are validated, and that the resulting NGINX configuration is correct and secure
	When referencing an `AuthenticationFilter` in either a HTTPRoute or GRPCRoute, it is important that we ensure all configurable fields are validated, and that the resulting NGINX configuration is correct and secure.

[sjberman]

Suggested change

	an `AuthenticationFilter` that sets a `onFailure.statusCode` to anything other than `401` or `403` should be rejected. This relates to the "Auth failure behaviour" section in the Security Condierations section.
	An `AuthenticationFilter` that sets a `onFailure.statusCode` to anything other than `401` or `403` should be rejected. This relates to the "Auth failure behaviour" section in the Security Considerations section.

[sjberman]

To be clear, this proposed AuthenticationFilter is to supply different auth methods than provided in the ExternalAuth filter, and is technically unrelated.

[sjberman]

(may reference NGINX variables)
Are users defining these variables? What types of variables might they want to use?

I ask because for our other header filters, we currently don't support this. Though we may at some point.

[sjberman]

Should a user have any control over this? I'm not sure they should or why they would need to.

[shaun-nx]

That's a good point. It's probably more secure and less error prone for us to default this directory.
As I think about that, we will want to ensure we can write to this directory when readOnlyRootfileSystem is enabled.

[sjberman]

Same comment as MountPath.

[sjberman]

We may choose to include these headers by default

That decision should be made as part of this design.

[shaun-nx]

What are your thoughts on them? Do they seem overkill or would they work as secure default headers?

[sjberman]

I'd like to read more about these and understand them better. Do you have some resources on them?

[sjberman]

Do we not need a Key from the ConfigMap like we do for Secret?

Also, do we need to support ConfigMap? What if we just supported Secret?

[shaun-nx]

That's true. It may be easier to just support Secrets. It would be more secure by default too.
I added this mostly to give users flexibility. After you asked this, I looked around for some use cases where someone might choose ConfigMapRef over SecretRef.

I found these reasons why a user might choose ConfigMapRef over SecretRef for JWKS:

• Non-sensitive data: Verification keys are public. Storing them in a Secret implies sensitivity that doesn’t exist unless you’re handling private/decryption keys (e.g., for auth_jwt_type=encrypted or nested). For public-only JWKS, ConfigMap is appropriate.
• Authoring convenience: ConfigMap stores raw JSON under data, while Secret requires base64-encoding. This avoids encoding errors and makes it simpler to read, diff, lint, and template the JWKS.
• GitOps friendliness: Public configuration can be safely committed to source control and templated with Helm/Kustomize. Secrets generally shouldn’t be committed to VCS.
• Operational visibility: Raw JSON is easier to inspect with kubectl for debugging and audits. No decoding step is needed to verify content.
• RBAC/Policy simplification: Many clusters restrict Secret access more tightly. If your controller/policy allows reading ConfigMaps more readily than Secrets, using ConfigMap avoids broader secret-read permissions.
• Avoiding unnecessary “secret” handling: Secrets may be encrypted at rest and trigger compliance pipelines and secret scanners. ConfigMaps avoid that overhead for public material.

[sjberman]

I think for a first pass, we just support Secret. And I think we can use a more generic object reference than SecretRef and ConfigmapRef. That way if we add ConfigMap support, we can reuse the existing object reference.

[sjberman]

Is this an optional field? If so, it shouldn't have a default.

Same comment for the rest of these fields.