diff options
| author | mo khan <mo@mokhan.ca> | 2025-07-08 08:37:20 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-07-08 08:37:20 -0600 |
| commit | 1152b4214bfb4e3a3cc20ab9167a456fc48e2619 (patch) | |
| tree | aead8ae0879179e13b349f3b2cc5dc221ad164cf | |
| parent | 8974c9bb1bbd613b57ae8fc1415bd299971c5fae (diff) | |
docs: add a slide for the warsaw design
| -rw-r--r-- | share/man/README.md | 34 |
1 files changed, 22 insertions, 12 deletions
diff --git a/share/man/README.md b/share/man/README.md index aacc472c..e107801a 100644 --- a/share/man/README.md +++ b/share/man/README.md @@ -42,10 +42,20 @@ This is different from Rails where authorization typically happens inside the ap --- -## Slide 3: Our Solution - Authorization at the Edge +## Slide 3: The Warsaw Accord Solution  +### Key Components: + +1. **Ingress L7 Firewall** - Handles authentication flows and intercepts all requests +2. **STS TS (PDP)** - Makes authorization decisions based on policies +3. **URT (Unified Request Token)** - Standardized token format for downstream services + +--- + +## Slide 4: Sparling Implementation + ``` +--------------+ | User-Agent | @@ -92,7 +102,7 @@ This is different from Rails where authorization typically happens inside the ap --- -## Slide 4: Request Flow - First Time User +## Slide 5: Request Flow - First Time User ``` User-Agent Envoy(Sparkle) Sparkled GitLab @@ -128,7 +138,7 @@ User-Agent Envoy(Sparkle) Sparkled GitLab --- -## Slide 5: Request Flow - Authenticated User +## Slide 6: Request Flow - Authenticated User ``` User-Agent Envoy(Sparkle) Go Authzd Rust Authzd @@ -165,7 +175,7 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd --- -## Slide 6: The Dual Authzd Architecture +## Slide 7: The Dual Authzd Architecture ### Current: Go Sidecar + Rust Remote @@ -223,7 +233,7 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd --- -## Slide 7: Envoy Configuration Deep Dive +## Slide 8: Envoy Configuration Deep Dive ### **Architecture Evolution Note** @@ -251,7 +261,7 @@ Each filter processes the request and can: --- -## Slide 8: OAuth2 Filter - Authentication (Current) +## Slide 9: OAuth2 Filter - Authentication (Current) ### **Future Architecture** @@ -285,7 +295,7 @@ This OIDC authentication may move to Rust authzd for centralized token managemen --- -## Slide 9: JWT Filter - Token Validation (Current) +## Slide 10: JWT Filter - Token Validation (Current) ### **Future Architecture** @@ -322,7 +332,7 @@ x-jwt-payload: <base64 encoded JWT> --- -## Slide 10: `ext_Authz` Filter - Authorization +## Slide 11: `ext_Authz` Filter - Authorization ### The gRPC Call @@ -367,7 +377,7 @@ x-user-id: 123456 --- -## Slide 11: Authzd Implementation +## Slide 12: Authzd Implementation ### **Current Cedar Policies (Placeholder)** @@ -396,7 +406,7 @@ when { --- -## Slide 12: How Authzd Makes Decisions +## Slide 13: How Authzd Makes Decisions ``` CheckRequest from Envoy @@ -432,7 +442,7 @@ when { --- -## Slide 13: Demo Scenarios +## Slide 14: Demo Scenarios ### Scenario 1: Unauthenticated Access @@ -464,7 +474,7 @@ curl -H "Cookie: id_token=expired" http://localhost:10000/dashboard --- -## Slide 14: Key Takeaways +## Slide 15: Key Takeaways 1. **Authorization at the edge** is more secure and performant 2. **Envoy handles the complex parts** - OAuth flows, token validation |