Advanced Authentication

[williamhogman]

Currently Leia supports only supports a trivial authentication scheme. If the JWK_URL env-var is set routes with verify = true require there to be a JWT token present in the http authentication header. While JWT is a good interoperable and federated authentication scheme the current method is lacking in a number of ways. The system does not verify audience or subject claims as specified in the JWT standard nor does it offer any mechanisms for verifying other parts of the claim.

In addition to the limitations in the implementation of JWT, there is also a need for other authentication schemes such as HTTP-basic auth. Finally, if configurable authentication and authorisation mechanisms were introduced it would enable us to expose certain internals to potential admin and monitoring tools if proper authentication was provided.

For these reasons I propose that we introduce a new concept to Leia which for purposes of discussion we will call an Auth-provider. An auth-provider is a named filter which can be applied to a route so that only authenticated requests match the route. In addition to the filter the Auth-provider may expose additional fields to the data-sinks and formats such as username or isAuthenticated. A single route is configurable to use multiple Auth-providers and only a single auth-provider needs to match for the route to match.

Auth-providers themselves, will have type e.g. JWK or BasicAuth or HashJWT. Depending on the type different configuration variables will be available e.g URL for JWK or users for BasicAuth. Another idea for an auth-provider may be webhook which authenticates the request against some other provider before letting it through.

[mantono]

• Make verify use Auth-Provider
• Throw exception if both verify and any "Auth-Provider" is set with the new syntax.