From 4beee46dc6c7642316e118a4d3aa51e4b407256e Mon Sep 17 00:00:00 2001
From: mo khan <mo@mokhan.ca>
Date: Tue, 20 May 2025 14:28:06 -0600
Subject: feat: add external authorization service (authzd) with JWT
 authentication

- Add new authzd gRPC service implementing Envoy's external authorization API
- Integrate JWT authentication filter in Envoy configuration with claim extraction
- Update middleware to support both cookie-based and header-based user authentication
- Add comprehensive test coverage for authorization service and server
- Configure proper service orchestration with authzd, sparkled, and Envoy
- Update build system and Docker configuration for multi-service deployment
- Add grpcurl tool for gRPC service debugging and testing

This enables fine-grained authorization control through Envoy's ext_authz filter
while maintaining backward compatibility with existing cookie-based authentication.
---
 etc/envoy/envoy.yaml | 84 +++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 76 insertions(+), 8 deletions(-)

(limited to 'etc')

diff --git a/etc/envoy/envoy.yaml b/etc/envoy/envoy.yaml
index 5842448..d07915d 100644
--- a/etc/envoy/envoy.yaml
+++ b/etc/envoy/envoy.yaml
@@ -3,6 +3,14 @@ admin:
     socket_address:
       address: 0.0.0.0
       port_value: 9901
+application_log_config:
+  log_format:
+    json_format:
+      Timestamp: "%Y-%m-%dT%T.%F"
+      ThreadId: "%t"
+      SourceLine: "%s:%#"
+      Level: "%l"
+      Message: "%j"
 overload_manager:
   resource_monitors:
     - name: "envoy.resource_monitors.global_downstream_max_connections"
@@ -11,19 +19,22 @@ overload_manager:
         max_active_downstream_connections: 1024
 static_resources:
   clusters:
-    - name: sparkle
-      connect_timeout: 0.25s
-      type: STRICT_DNS
-      lb_policy: ROUND_ROBIN
+    - name: authzd
+      connect_timeout: 5s
       load_assignment:
-        cluster_name: sparkle
+        cluster_name: authzd
         endpoints:
           - lb_endpoints:
               - endpoint:
                   address:
                     socket_address:
-                      address: localhost
-                      port_value: 8080
+                      address: 127.0.0.1
+                      port_value: 10003
+      typed_extension_protocol_options:
+        envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+          "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
+          explicit_http_config:
+            http2_protocol_options: {}
     - name: oidc
       connect_timeout: 5s
       type: LOGICAL_DNS
@@ -43,6 +54,19 @@ static_resources:
         typed_config:
           "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
           sni: example.com
+    - name: sparkle
+      connect_timeout: 0.25s
+      type: STATIC
+      lb_policy: ROUND_ROBIN
+      load_assignment:
+        cluster_name: sparkle
+        endpoints:
+          - lb_endpoints:
+              - endpoint:
+                  address:
+                    socket_address:
+                      address: 127.0.0.1
+                      port_value: 8080
   listeners:
     - name: listener_0
       address:
@@ -102,7 +126,7 @@ static_resources:
                             id_token: id_token
                             refresh_token: refresh_token
                             oauth_nonce: oauth_nonce
-                            # code_verifier: code_verifier
+                            code_verifier: code_verifier
                           token_secret:
                             name: client_secret
                           hmac_secret:
@@ -140,6 +164,50 @@ static_resources:
                           uri: "https://example.com/oauth/token"
                           timeout: 5s
                         use_refresh_token: true
+                  - name: envoy.filters.http.jwt_authn
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
+                      providers:
+                        provider1:
+                          audiences:
+                            - OAUTH_CLIENT_ID
+                          claim_to_headers:
+                            - header_name: x-jwt-claim-sub
+                              claim_name: sub
+                          forward: true
+                          forward_payload_header: x-jwt-payload
+                          from_cookies:
+                            - id_token
+                          issuer: https://example.com
+                          remote_jwks:
+                            http_uri:
+                              uri: https://example.com/oauth/discovery/keys
+                              cluster: oidc
+                              timeout: 5s
+                      rules:
+                        - match:
+                            path: /health
+                        - match:
+                            prefix: /sparkles
+                        - match:
+                            prefix: /dashboard/nav
+                        - match:
+                            safe_regex:
+                              regex: .*\\.(css|js|png|html|ico)$
+                        - match:
+                            path: /
+                        - match:
+                            path: /dashboard
+                          requires:
+                            provider_name: provider1
+                  - name: envoy.filters.http.ext_authz
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
+                      grpc_service:
+                        envoy_grpc:
+                          cluster_name: authzd
+                        timeout: 30s
+                      failure_mode_allow: false
                   - name: envoy.filters.http.router
                     typed_config:
                       "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
-- 
cgit v1.2.3