From ca0ed0a287dbbd21ff11a2e6f7e550bb92ca249b Mon Sep 17 00:00:00 2001 From: Jason Madigan Date: Tue, 9 Jul 2024 11:00:44 +0100 Subject: [PATCH] details links --- docs/user-guides/anonymous-access.md | 7 +++--- docs/user-guides/api-key-authentication.md | 7 +++--- ...ed-rate-limiting-envoy-dynamic-metadata.md | 11 +++++---- docs/user-guides/authzed.md | 8 +++---- docs/user-guides/caching.md | 16 ++++++------- .../deny-with-redirect-to-login.md | 12 +++++----- ...cation-architecture-festival-wristbands.md | 13 ++++++----- .../envoy-jwt-authn-and-authorino.md | 13 +++++------ docs/user-guides/external-metadata.md | 11 +++++---- docs/user-guides/http-basic-authentication.md | 10 ++++---- docs/user-guides/injecting-data.md | 10 ++++---- .../json-pattern-matching-authorization.md | 9 ++++---- .../keycloak-authorization-services.md | 9 ++++---- .../kubernetes-subjectaccessreview.md | 8 +++---- docs/user-guides/kubernetes-tokenreview.md | 8 +++---- docs/user-guides/mtls-authentication.md | 9 ++++---- .../user-guides/oauth2-token-introspection.md | 9 ++++---- docs/user-guides/oidc-jwt-authentication.md | 7 +++--- docs/user-guides/oidc-rbac.md | 9 ++++---- docs/user-guides/oidc-user-info.md | 11 +++++---- docs/user-guides/opa-authorization.md | 9 ++++---- docs/user-guides/passing-credentials.md | 9 ++++---- .../resource-level-authorization-uma.md | 11 +++++---- docs/user-guides/validating-webhook.md | 23 ++++++++++--------- 24 files changed, 129 insertions(+), 120 deletions(-) diff --git a/docs/user-guides/anonymous-access.md b/docs/user-guides/anonymous-access.md index 13e54a69..a10ba2d9 100644 --- a/docs/user-guides/anonymous-access.md +++ b/docs/user-guides/anonymous-access.md @@ -5,11 +5,12 @@ Bypass identity verification or fall back to anonymous access when credentials f
Authorino capabilities featured in this guide: - + + For further details about Authorino features in general, check the [docs](./../features.md).
diff --git a/docs/user-guides/api-key-authentication.md b/docs/user-guides/api-key-authentication.md index fcf2d899..432dc48d 100644 --- a/docs/user-guides/api-key-authentication.md +++ b/docs/user-guides/api-key-authentication.md @@ -5,11 +5,12 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with y
Authorino capabilities featured in this guide: -
    -
  • Identity verification & authentication → API key
    • -
+ + In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`. API key `Secret`s must also include labels that match the `secretLabelSelector` field of the Authorino instance. See [Resource reconciliation and status update](../architecture.md#resource-reconciliation-and-status-update) for details. diff --git a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md index 7d03fd5c..7a3d3d27 100644 --- a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md +++ b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md @@ -5,13 +5,14 @@ Provide Envoy with dynamic metadata about the external authorization process to
Authorino capabilities featured in this guide: - + + Dynamic JSON objects built out of static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json) can be wrapped to be returned to the reverse-proxy as Envoy Well Known Dynamic Metadata content. Envoy can use those to inject data returned by the external authorization service into the other filters, such as the rate limiting filter. Check out as well the user guides about [Injecting data in the request](injecting-data.md) and [Authentication with API keys](api-key-authentication.md). diff --git a/docs/user-guides/authzed.md b/docs/user-guides/authzed.md index dc5e56ee..8102e50e 100644 --- a/docs/user-guides/authzed.md +++ b/docs/user-guides/authzed.md @@ -5,11 +5,11 @@ Permission requests sent to a Google Zanzibar-based [Authzed/SpiceDB](https://au
Authorino capabilities featured in this guide: -
    -
  • Authorization → SpiceDB
    • -
  • Identity verification & authentication → API key
    • -
+
    +
  • Authorization → SpiceDB
    • +
  • Identity verification & authentication → API key
    • +

diff --git a/docs/user-guides/caching.md b/docs/user-guides/caching.md index 001fe9b5..f7f0988f 100644 --- a/docs/user-guides/caching.md +++ b/docs/user-guides/caching.md @@ -19,15 +19,15 @@ Cases where one will **NOT** want to enable caching, due to relatively cheap com
Authorino capabilities featured in this guide: - - + + For further details about Authorino features in general, check the [docs](../features.md).
diff --git a/docs/user-guides/deny-with-redirect-to-login.md b/docs/user-guides/deny-with-redirect-to-login.md index b0ebbe0e..6dc8e965 100644 --- a/docs/user-guides/deny-with-redirect-to-login.md +++ b/docs/user-guides/deny-with-redirect-to-login.md @@ -5,13 +5,13 @@ Customize response status code and headers on failed requests to redirect users
Authorino capabilities featured in this guide: - - + + Authorino's default response status codes, messages and headers for unauthenticated (`401`) and unauthorized (`403`) requests can be customized with static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json). Check out as well the user guides about [HTTP "Basic" Authentication (RFC 7235)](http-basic-authentication.md) and [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md). diff --git a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md index 95ae37c3..7099a70b 100644 --- a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md +++ b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md @@ -13,14 +13,15 @@ As a minimum, EAA allows to simplify authentication between applications and mic
Authorino capabilities featured in this guide: - + + Festival Wristbands are OpenID Connect ID tokens (signed JWTs) issued by Authorino by the end of the Auth Pipeline, for authorized requests. It can be configured to include claims based on static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json). Check out as well the user guides about [Token normalization](token-normalization.md), [Authentication with API keys](api-key-authentication.md) and [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md). diff --git a/docs/user-guides/envoy-jwt-authn-and-authorino.md b/docs/user-guides/envoy-jwt-authn-and-authorino.md index 640f3537..4c144ab0 100644 --- a/docs/user-guides/envoy-jwt-authn-and-authorino.md +++ b/docs/user-guides/envoy-jwt-authn-and-authorino.md @@ -11,14 +11,13 @@ All requests to the Talker API will be authenticated in Envoy. However, requests
Authorino capabilities featured in this guide: - - + For further details about Authorino features in general, check the [docs](../features.md).
diff --git a/docs/user-guides/external-metadata.md b/docs/user-guides/external-metadata.md index 3635f269..24236d3f 100644 --- a/docs/user-guides/external-metadata.md +++ b/docs/user-guides/external-metadata.md @@ -5,13 +5,14 @@ Get online data from remote HTTP services to enhance authorization rules.
Authorino capabilities featured in this guide: - + + You can configure Authorino to fetch additional metadata from external sources in request-time, by sending either GET or POST request to an HTTP service. The service is expected to return a JSON content which is appended to the [Authorization JSON](../architecture.md#the-authorization-json), thus becoming available for usage in other configs of the Auth Pipeline, such as in authorization policies or custom responses. URL, parameters and headers of the request to the external source of metadata can be configured, including with dynamic values. Authentication between Authorino and the service can be set as part of these configuration options, or based on shared authentication token stored in a Kubernetes `Secret`. diff --git a/docs/user-guides/http-basic-authentication.md b/docs/user-guides/http-basic-authentication.md index 15296fc9..e390efed 100644 --- a/docs/user-guides/http-basic-authentication.md +++ b/docs/user-guides/http-basic-authentication.md @@ -5,12 +5,12 @@ Turn Authorino API key `Secret`s settings into HTTP basic auth.
Authorino capabilities featured in this guide: - - + + HTTP "Basic" Authentication ([RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235)) is not recommended if you can afford other more secure methods such as OpenID Connect. To support legacy nonetheless it is sometimes necessary to implement it. In Authorino, HTTP "Basic" Authentication can be modeled leveraging the API key authentication feature (stored as Kubernetes `Secret`s with an `api_key` entry and labeled to match selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`). diff --git a/docs/user-guides/injecting-data.md b/docs/user-guides/injecting-data.md index 63e1a8f4..69f527bc 100644 --- a/docs/user-guides/injecting-data.md +++ b/docs/user-guides/injecting-data.md @@ -5,12 +5,12 @@ Inject HTTP headers with serialized JSON content.
Authorino capabilities featured in this guide: - - + + Inject serialized custom JSON objects as HTTP request headers. Values can be static or fetched from the [Authorization JSON](../architecture.md#the-authorization-json). Check out as well the user guide about [Authentication with API keys](api-key-authentication.md). diff --git a/docs/user-guides/json-pattern-matching-authorization.md b/docs/user-guides/json-pattern-matching-authorization.md index 90dcfe6e..89e9e39d 100644 --- a/docs/user-guides/json-pattern-matching-authorization.md +++ b/docs/user-guides/json-pattern-matching-authorization.md @@ -5,12 +5,13 @@ Write simple authorization rules based on JSON patterns matched against Authorin
Authorino capabilities featured in this guide: - + + Authorino provides a built-in authorization module to check simple pattern-matching rules against the [Authorization JSON](../architecture.md#the-authorization-json). This is an alternative to [OPA](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) when all you want is to check for some simple rules, without complex logics, such as match the value of a JWT claim. Check out as well the user guide about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md). diff --git a/docs/user-guides/keycloak-authorization-services.md b/docs/user-guides/keycloak-authorization-services.md index 231494e6..1d77ad99 100644 --- a/docs/user-guides/keycloak-authorization-services.md +++ b/docs/user-guides/keycloak-authorization-services.md @@ -7,12 +7,11 @@ This user guide is an example of how to use Authorino as an adapter to Keycloak
Authorino capabilities featured in this guide: - - + For further details about Authorino features in general, check the [docs](../features.md).
diff --git a/docs/user-guides/kubernetes-subjectaccessreview.md b/docs/user-guides/kubernetes-subjectaccessreview.md index 43fd36c9..fd94d101 100644 --- a/docs/user-guides/kubernetes-subjectaccessreview.md +++ b/docs/user-guides/kubernetes-subjectaccessreview.md @@ -5,11 +5,11 @@ Manage permissions in the Kubernetes RBAC and let Authorino to check them in req
Authorino capabilities featured in this guide: - + Authorino can delegate authorization decision to the Kubernetes authorization system, allowing permissions to be stored and managed using the Kubernetes Role-Based Access Control (RBAC) for example. The feature is based on the `SubjectAccessReview` API and can be used for `resourceAttributes` (parameters defined in the `AuthConfig`) or `nonResourceAttributes` (inferring HTTP path and verb from the original request). diff --git a/docs/user-guides/kubernetes-tokenreview.md b/docs/user-guides/kubernetes-tokenreview.md index a70caa9f..04fbe144 100644 --- a/docs/user-guides/kubernetes-tokenreview.md +++ b/docs/user-guides/kubernetes-tokenreview.md @@ -5,11 +5,11 @@ Validate Kubernetes Service Account tokens to authenticate requests to your prot
Authorino capabilities featured in this guide: - - + + Authorino can verify Kubernetes-valid access tokens (using Kubernetes [TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1) API). These tokens can be either `ServiceAccount` tokens or any valid user access tokens issued to users of the Kubernetes server API. diff --git a/docs/user-guides/mtls-authentication.md b/docs/user-guides/mtls-authentication.md index 617cdf5f..55ffd9a6 100644 --- a/docs/user-guides/mtls-authentication.md +++ b/docs/user-guides/mtls-authentication.md @@ -5,12 +5,13 @@ Verify client X.509 certificates against trusted root CAs stored in Kubernetes `
Authorino capabilities featured in this guide: - + + Authorino can verify x509 certificates presented by clients for authentication on the request to the protected APIs, at application level. Trusted root Certificate Authorities (CA) are stored as Kubernetes `kubernetes.io/tls` Secrets labeled according to selectors specified in the AuthConfig, watched and cached by Authorino. diff --git a/docs/user-guides/oauth2-token-introspection.md b/docs/user-guides/oauth2-token-introspection.md index 4980a0c0..4fe544a8 100644 --- a/docs/user-guides/oauth2-token-introspection.md +++ b/docs/user-guides/oauth2-token-introspection.md @@ -5,12 +5,11 @@ Introspect OAuth 2.0 access tokens (e.g. opaque tokens) for online user data and
Authorino capabilities featured in this guide: - - + Authorino can perform OAuth 2.0 token introspection ([RFC 7662](https://tools.ietf.org/html/rfc7662)) on the access tokens supplied in the requests to protected APIs. This is particularly useful when using opaque tokens, for remote checking the token validity and resolving the identity object. _Important!_ Authorino does **not** implement [OAuth2 grants](https://datatracker.ietf.org/doc/html/rfc6749#section-4) nor [OIDC authentication flows](https://openid.net/specs/openid-connect-core-1_0.html#Authentication). As a common recommendation of good practice, obtaining and refreshing access tokens is for clients to negotiate directly with the auth servers and token issuers. Authorino will only validate those tokens using the parameters provided by the trusted issuer authorities. diff --git a/docs/user-guides/oidc-jwt-authentication.md b/docs/user-guides/oidc-jwt-authentication.md index 62bd3255..a0a6722c 100644 --- a/docs/user-guides/oidc-jwt-authentication.md +++ b/docs/user-guides/oidc-jwt-authentication.md @@ -5,10 +5,11 @@ Validate JSON Web Tokens (JWT) issued and signed by an OpenID Connect server; le
Authorino capabilities featured in this guide: - + + Authorino validates JSON Web Tokens (JWT) issued by an OpenID Connect server that implements OpenID Connect Discovery. Authorino fetches the OpenID Connect configuration and JSON Web Key Set (JWKS) from the issuer endpoint, and verifies the JSON Web Signature (JWS) and time validity of the token. diff --git a/docs/user-guides/oidc-rbac.md b/docs/user-guides/oidc-rbac.md index 29a54357..b7074bef 100644 --- a/docs/user-guides/oidc-rbac.md +++ b/docs/user-guides/oidc-rbac.md @@ -7,12 +7,13 @@ In this user guide, you will learn via example how to implement a simple Role-Ba
Authorino capabilities featured in this guide: - + + Check out as well the user guides about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Simple pattern-matching authorization policies](json-pattern-matching-authorization.md). For further details about Authorino features in general, check the [docs](../features.md). diff --git a/docs/user-guides/oidc-user-info.md b/docs/user-guides/oidc-user-info.md index 1e1bcd8b..38cf208b 100644 --- a/docs/user-guides/oidc-user-info.md +++ b/docs/user-guides/oidc-user-info.md @@ -5,13 +5,14 @@ Fetch user info for OpenID Connect ID tokens in request-time for extra metadata
Authorino capabilities featured in this guide: - + + Apart from possibly complementing information of the JWT, fetching OpenID Connect UserInfo in request-time can be particularly useful for remote checking the state of the session, as opposed to only verifying the JWT/JWS offline. Implementation requires an OpenID Connect issuer ([`spec.identity.oidc`](#openid-connect-oidc-jwtjose-verification-and-validation-identityoidc)) configured in the same `AuthConfig`. Check out as well the user guide about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md). diff --git a/docs/user-guides/opa-authorization.md b/docs/user-guides/opa-authorization.md index 83d66f56..f62ded48 100644 --- a/docs/user-guides/opa-authorization.md +++ b/docs/user-guides/opa-authorization.md @@ -5,12 +5,13 @@ Leverage the power of Open Policy Agent (OPA) policies, evaluated against Author
Authorino capabilities featured in this guide: - + + Authorino supports [Open Policy Agent](https://www.openpolicyagent.org) policies, either inline defined in [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language) as part of the `AuthConfig` or fetched from an external endpoint, such as an OPA Policy Registry. Authorino's built-in OPA module precompiles the policies in reconciliation-time and cache them for fast evaluation in request-time, where they receive the Authorization JSON as input. diff --git a/docs/user-guides/passing-credentials.md b/docs/user-guides/passing-credentials.md index 6d9afbbf..af0cea15 100644 --- a/docs/user-guides/passing-credentials.md +++ b/docs/user-guides/passing-credentials.md @@ -5,12 +5,11 @@ Customize where credentials are supplied in the request by each trusted source o
Authorino capabilities featured in this guide: -
    -
  • Identity verification & authentication → Auth credentials
    • -
  • Identity verification & authentication → API key
    • -
- +
    +
  • Identity verification & authentication → Auth credentials
    • +
  • Identity verification & authentication → API key
    • +
Authentication tokens can be supplied in the `Authorization` header, in a custom header, cookie or query string parameter. Check out as well the user guide about [Authentication with API keys](api-key-authentication.md). diff --git a/docs/user-guides/resource-level-authorization-uma.md b/docs/user-guides/resource-level-authorization-uma.md index f66f178f..b37a2e4e 100644 --- a/docs/user-guides/resource-level-authorization-uma.md +++ b/docs/user-guides/resource-level-authorization-uma.md @@ -5,12 +5,13 @@ Fetch resource metadata relevant for your authorization policies from Keycloak a
Authorino capabilities featured in this guide: - + + Check out as well the user guides about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Open Policy Agent (OPA) Rego policies](opa-authorization.md). diff --git a/docs/user-guides/validating-webhook.md b/docs/user-guides/validating-webhook.md index 90e2e428..b1a5075d 100644 --- a/docs/user-guides/validating-webhook.md +++ b/docs/user-guides/validating-webhook.md @@ -9,19 +9,20 @@ This user guide provides an example of using Authorino as a Kubernetes Validatin
Authorino capabilities featured in this guide: - + + For further details about Authorino features in general, check the [docs](../features.md).