diff options
Diffstat (limited to 'share')
| -rw-r--r-- | share/man/README.md | 89 |
1 files changed, 39 insertions, 50 deletions
diff --git a/share/man/README.md b/share/man/README.md index 49ead995..1f6dad34 100644 --- a/share/man/README.md +++ b/share/man/README.md @@ -147,15 +147,15 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd | | |------------->| | | | | | | | Evaluate | - | | gRPC: OK | policies | - | |<----------------|<-------------| + | | | policies | + | | |<-------------| | | | | - | | 4. Forward request | - | |------------------------------->| - | | + JWT claims in headers | + | | gRPC: OK | | + | |<----------------| | + | | + URT token in headers | | | | | 200 OK | | - | Dashboard HTML |<-------------------------------| + | Dashboard HTML | | |<---------------| | ``` @@ -220,7 +220,13 @@ User-Agent Envoy(Sparkle) Go Authzd Rust Authzd ## Slide 7: Envoy Configuration Deep Dive -### The Filter Chain (order matters!) +### ⚠️ **Architecture Evolution Note** +The OAuth2 and JWT filters shown below may be removed in future versions: +- **Option 1**: Move to Rust authzd's Envoy configuration +- **Option 2**: Implement as code inside Rust authzd +- **Goal**: Replace JWT with URT (Unified Request Token) via ext_authz + +### Current Filter Chain (order matters!) ```yaml http_filters: @@ -237,7 +243,10 @@ Each filter processes the request and can: --- -## Slide 8: OAuth2 Filter - Authentication +## Slide 8: OAuth2 Filter - Authentication (Current) + +### ⚠️ **Future Architecture** +This OIDC authentication may move to Rust authzd for centralized token management. ### Configuration ```yaml @@ -265,7 +274,13 @@ Each filter processes the request and can: --- -## Slide 9: JWT Filter - Token Validation +## Slide 9: JWT Filter - Token Validation (Current) + +### ⚠️ **Future Architecture** +JWT validation may move to authzd, which will: +1. Validate JWT from identity provider +2. **Replace JWT with URT (Unified Request Token)** +3. Inject URT as header via ext_authz response ### Configuration ```yaml @@ -283,7 +298,7 @@ Each filter processes the request and can: header_name: x-jwt-claim-username ``` -### Headers passed to app: +### Current headers passed to app: ``` x-jwt-claim-sub: 123456 x-jwt-claim-username: john.doe @@ -324,6 +339,14 @@ message CheckResponse { } ``` +### **Key Feature: URT Token Injection** +Authzd can inject **URT (Unified Request Token)** headers: +``` +x-urt-token: <downscoped_token> +x-user-id: 123456 +x-user-groups: ["developers", "maintainers"] +``` + --- ## Slide 11: Authzd Implementation @@ -418,41 +441,7 @@ when { --- -## Slide 14: Comparison with Rails - -### Rails (Traditional) -```ruby -class DashboardController < ApplicationController - before_action :authenticate_user! - before_action :authorize_dashboard_access - - def show - # Business logic - end - - private - - def authorize_dashboard_access - unless can?(:view, :dashboard) - render_403 - end - end -end -``` - -### Our Approach -```go -// No auth code needed! -func (c *DashboardController) Show(w http.ResponseWriter, r *http.Request) { - // Just business logic - userID := r.Header.Get("x-jwt-claim-sub") - // ... -} -``` - ---- - -## Slide 15: Demo Scenarios +## Slide 14: Demo Scenarios ### Scenario 1: Unauthenticated Access ```bash @@ -480,7 +469,7 @@ curl -H "Cookie: id_token=expired" http://localhost:10000/dashboard --- -## Slide 16: Cedar Policy Language +## Slide 15: Cedar Policy Language ### Why Cedar? @@ -512,7 +501,7 @@ when { --- -## Slide 17: Debugging Authorization +## Slide 16: Debugging Authorization ### Envoy Access Logs ```json @@ -543,7 +532,7 @@ when { --- -## Slide 18: Migration Strategy +## Slide 17: Migration Strategy ### Phase 1: Parallel Running ``` @@ -567,7 +556,7 @@ when { --- -## Slide 19: Key Takeaways +## Slide 18: Key Takeaways 1. **Authorization at the edge** is more secure and performant @@ -581,7 +570,7 @@ when { --- -## Slide 20: Questions & Discussion +## Slide 19: Questions & Discussion ### Architecture Questions - How does this compare to Rails + Devise? |