You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently Leia supports only supports a trivial authentication scheme. If the JWK_URL env-var is set routes with verify = true require there to be a JWT token present in the http authentication header. While JWT is a good interoperable and federated authentication scheme the current method is lacking in a number of ways. The system does not verify audience or subject claims as specified in the JWT standard nor does it offer any mechanisms for verifying other parts of the claim.
In addition to the limitations in the implementation of JWT, there is also a need for other authentication schemes such as HTTP-basic auth. Finally, if configurable authentication and authorisation mechanisms were introduced it would enable us to expose certain internals to potential admin and monitoring tools if proper authentication was provided.
For these reasons I propose that we introduce a new concept to Leia which for purposes of discussion we will call an Auth-provider. An auth-provider is a named filter which can be applied to a route so that only authenticated requests match the route. In addition to the filter the Auth-provider may expose additional fields to the data-sinks and formats such as username or isAuthenticated. A single route is configurable to use multiple Auth-providers and only a single auth-provider needs to match for the route to match.
Auth-providers themselves, will have type e.g. JWK or BasicAuth or HashJWT. Depending on the type different configuration variables will be available e.g URL for JWK or users for BasicAuth. Another idea for an auth-provider may be webhook which authenticates the request against some other provider before letting it through.
The text was updated successfully, but these errors were encountered:
Currently
Leia
supports only supports a trivial authentication scheme. If theJWK_URL
env-var is set routes withverify = true
require there to be a JWT token present in the http authentication header. WhileJWT
is a good interoperable and federated authentication scheme the current method is lacking in a number of ways. The system does not verify audience or subject claims as specified in the JWT standard nor does it offer any mechanisms for verifying other parts of the claim.In addition to the limitations in the implementation of JWT, there is also a need for other authentication schemes such as HTTP-basic auth. Finally, if configurable authentication and authorisation mechanisms were introduced it would enable us to expose certain internals to potential admin and monitoring tools if proper authentication was provided.
For these reasons I propose that we introduce a new concept to
Leia
which for purposes of discussion we will call anAuth-provider
. An auth-provider is a named filter which can be applied to a route so that only authenticated requests match the route. In addition to the filter the Auth-provider may expose additional fields to the data-sinks and formats such asusername
orisAuthenticated
. A single route is configurable to use multiple Auth-providers and only a single auth-provider needs to match for the route to match.Auth-providers themselves, will have type e.g.
JWK
orBasicAuth
orHashJWT
. Depending on the type different configuration variables will be available e.g URL for JWK orusers
for BasicAuth. Another idea for an auth-provider may be webhook which authenticates the request against some other provider before letting it through.The text was updated successfully, but these errors were encountered: