authz | gin-authz is an authorization middleware for Gin | Web Framework library

file=/svn_repository/conf/authz

One of the group is too long and messy and it's hard to organize.

Problem statement:

My goal is to have istio with external authorization service (ideally HTTP, if not possible than GRPC would do as well). There is a requirement to be able to control what exact status code will be returned to client on authorization service. The latter requirement is the most problematic part.

My research

• I have read istio documentation on external authorizer

• I have made a prototype with HTTP Auth service, but whatever non 200 status code I return from Auth Service the client always receives 403 Forbidden

• In mesh config specification I see the only possibility to set statusOnError but it will be used only in case auth service is unreachable and it can not be dynamically changed.

• Also in envoy documentation for GRPC service I see possibility to set custom status

  ...

I have a few microservices that validate and identify the user using Keycloak as below

I now want to place the Apache APISIX API Gateway before the microservices.

Apache APISIX has a plugin for Keycloak. Can the plugin do the following such that the validation is removed from all the microservices?

• Validate the access_token from the user
• If valid, forward the request to the microservice

Note

This article gives details on how to integrate the Keycloak plugin such that the user will have to authenticate using Keycloak (using a single Keycloak client_id and client_secret). In my case, however, each user will have a different client_id and client_secret.

The official documentation of kubernetes (https://kubernetes.io/docs/reference/access-authn-authz/authentication/) states at some point: "3. Call Kubectl with --token being the id_token OR add tokens to .kube/config" (just search for mentioned phrase in the provided doc url to get the context).

Can anyone give me example where can I "add tokens to .kube/config" directly?

I am in a scenario, when it is needed for me, I can access my cluster with --token inline option but I need to go with adding it to .kube/config.

I am trying to do sth like this but doesn't work (still need to add --token inline option, doesn't work without it):

For this project, I have a monorepo with 2 workspaces (api and frontEnd). I have upgraded node from V10 to V16 recently and the migration is almost complete. I can run it locally, but building is not possible anymore.

When I run yarn workspace api start:dev, defined in api/package.json as "start:dev": "cross-env NODE_ENV=development npx ts-node-dev -r dotenv/config -r tsconfig-paths/register --respawn --transpile-only src/index.ts", it runs smoothly on localhost.

When I run yarn workspace api build:ts, defined in api/package.json as yarn run tsc, I get errors of the following type (I kept only 1 error per file to respect the question character limit, but there are over 2000 lines):

I'm using Open Policy Agent as an authorization component together with OIDC enabled apps.

I have input from the apps in the format:

I am using Ory Hydra to complete an OAuth2 authorization_code flow with PKCE. Something is wrong with my setup. The code verifier is not actually validated. I am able to exchange the authz code for a token whether I provide the right verifier, an invalid one or even not provide one at all.

I am looking through the Hydra source code but having a hard time finding:

1. Where is the code that adds the session to the PKCE table? This is probably called by the oauth2/auth endpoint.
2. Where is the code that validates the code_verifier? I assume it's called by the oauth2/token endpoint

PS: These lines look like what would be called when saving and retrieving the PKCE session. However I don't see them executed anywhere in the package so I don't know how/where the PKCE inputs get validated

Considering Authorization Code Flow with PKCE inside an iframe as follows:

As long as the line with useLazyQuery in App.js (code below) is removed, it will display simple "HELLO" message (working well), otherwise, I got the below error message