External authorization

[guicassolato]

Try it out with your Docker env

1. Start the containers

docker-compose up --build -d

You'll get the following components up and running:

• Envoy proxy
  Configured w/ the http filters ext_authz and ratelimit.
• Upstream app
  Just a simple rack application that returns a constant string for any request.
• External AuthN/AuthZ proxy
  The core of this PoC. It implements Envoy's external auth gRPC protocol, verifies identities (only OIDC supported so far), fetches metadata (OIDC user info) and delegates policy evaluation to configured PDPs.
• OPA service
  An actual Policy Decision Point (PDP) configured in the architecture.
• Rate limiter
  Out of scope for this PoC. Your can ignore it for the moment.
• Keycloak
  To issue OIDC access tokens.
  Admin console: http://localhost:8080/auth/admin (admin/p)
  Available users:
  • john/p (member)
  • jane/p (admin)

2. Try out with John (member)

export ACCESS_TOKEN_JOHN=$(curl -k -d 'grant_type=password' -d 'client_id=demo' -d 'username=john' -d 'password=p' "http://localhost:8080/auth/realms/ostia/protocol/openid-connect/token" | jq -r '.access_token')

curl -H 'Host: app:3000' -H "Authorization: Bearer $ACCESS_TOKEN_JOHN" http://localhost:8000/pets -v        # 200 OK
curl -H 'Host: app:3000' -H "Authorization: Bearer $ACCESS_TOKEN_JOHN" http://localhost:8000/pets/stats -v  # 404 Not authorized

3. Try out with Jane (admin)

export ACCESS_TOKEN_JANE=$(curl -k -d 'grant_type=password' -d 'client_id=demo' -d 'username=jane' -d 'password=p' "http://localhost:8080/auth/realms/ostia/protocol/openid-connect/token" | jq -r '.access_token')

curl -H 'Host: app:3000' -H "Authorization: Bearer $ACCESS_TOKEN_JANE" http://localhost:8000/pets -v        # 200 OK
curl -H 'Host: app:3000' -H "Authorization: Bearer $ACCESS_TOKEN_JANE" http://localhost:8000/pets/stats -v  # 200 OK

4. Shut down and clean up

docker-compose down

[mikz]

Amazing! It works. It is easy to try and extend! Epic :)