diff options
| -rw-r--r-- | share/man/ENVOY.md | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/share/man/ENVOY.md b/share/man/ENVOY.md index cd84781..716aaaa 100644 --- a/share/man/ENVOY.md +++ b/share/man/ENVOY.md @@ -386,6 +386,8 @@ filter. The following configuration will look for an `id_token` cookie and then parse the value, validate it against the list of keys specified at the `remote_jwks` uri and then it will inject a header called `x-jwt-payload` with the valid JWT as well as the `x-jwt-claim-sub` with the body section of the JWT. +This filter ensures ensures the integrity and authenticity of the detected JWT +and will immediately reject tokens that are invalid. ```yaml static_resources: @@ -423,6 +425,88 @@ static_resources: provider_name: gitlab_provider ``` +The `envoy.filters.http.ext_authz` filter can be used to forward the incoming HTTP request to an external +policy decision point that can be used to make the authorization decision. For +Sparkle the PDP is hosted as a sidecar process called `authzd` that makes the +authorization decision specifically on the contents of the HTTP request. + +```yaml + # ... + - name: envoy.filters.http.oauth2 + # ... + - name: envoy.filters.http.jwt_authn + # ... + - name: envoy.filters.http.ext_authz + typed_config: + "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + grpc_service: + envoy_grpc: + cluster_name: authzd + failure_mode_allow: false +``` + +The external authorization service must implement the [`CheckRequest` protobuf](https://github.com/envoyproxy/envoy/blob/04378898516847d1107c5b15c22ac602ff06372c/api/envoy/service/auth/v3/external_auth.proto#L35) service definition. +An example of this can be found in the Sparkle repo. Below is an example +snippet: + +```golang +package authz + +import ( + "context" + + core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + types "github.com/envoyproxy/go-control-plane/envoy/type/v3" + status "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc/codes" +) + +type CheckService struct { + auth.UnimplementedAuthorizationServer +} + +func (svc *CheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { + if svc.isAllowed(ctx, request) { + return svc.OK(ctx), nil + } + return svc.Denied(ctx), nil +} + +// ... + +func (svc *CheckService) OK(ctx context.Context) *auth.CheckResponse { + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.OK), + }, + HttpResponse: &auth.CheckResponse_OkResponse{ + OkResponse: &auth.OkHttpResponse{ + Headers: []*core.HeaderValueOption{}, + HeadersToRemove: []string{}, + ResponseHeadersToAdd: []*core.HeaderValueOption{}, + }, + }, + } +} + +func (svc *CheckService) Denied(ctx context.Context) *auth.CheckResponse { + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.PermissionDenied), + }, + HttpResponse: &auth.CheckResponse_DeniedResponse{ + DeniedResponse: &auth.DeniedHttpResponse{ + Status: &types.HttpStatus{ + Code: types.StatusCode_Unauthorized, + }, + Headers: []*core.HeaderValueOption{}, + }, + }, + } +} +``` + ## Envoy Configuration Let's dive into the envoy configuration. |