Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: forward basic auth user #3312

Conversation

zhaohuabing
Copy link
Member

@zhaohuabing zhaohuabing commented Apr 30, 2024

This PR extracts username from the HTTP authorization header and add it to a custom header, providing a user identity that can be directly used in the Authorization Policy and by other filters or backends.

      basicAuth:
        users:
          name: "users-secret1"
        forwardUsernameHeader: x-basic-auth-user

Fix: #2947
Related: #2250 #2652

@zhaohuabing zhaohuabing requested a review from a team as a code owner April 30, 2024 18:16
@zhaohuabing zhaohuabing force-pushed the forward_basic_auth_username_header branch 3 times, most recently from c66e1dd to 187dec0 Compare April 30, 2024 21:56
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@zhaohuabing zhaohuabing force-pushed the forward_basic_auth_username_header branch from 187dec0 to bf20d0c Compare May 1, 2024 01:56
@arkodg
Copy link
Contributor

arkodg commented May 1, 2024

thoughts on userNameToHeader similar to the existing claimToHeader field in jwt ?

@zhaohuabing zhaohuabing marked this pull request as draft May 1, 2024 18:06
@zhaohuabing zhaohuabing marked this pull request as ready for review May 1, 2024 18:16
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
…oute in a Gateway

Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
@@ -24,4 +27,10 @@ type BasicAuth struct {
//
// Note: The secret must be in the same namespace as the SecurityPolicy.
Users gwapiv1b1.SecretObjectReference `json:"users"`

// The name of the HTTP header that will be used to forward the username to the upstream server.
// Please note that the header name is a global setting for all the routes in a Gateway.
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UserNameToHeader can also be per route, but will need some upstream work.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

imo we should wait until per route support is added, else a per route setting will enable this at the global level

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, let's wait for the upstream.

Copy link

github-actions bot commented Jun 1, 2024

This pull request has been automatically marked as stale because it has not had activity in the last 30 days. Please feel free to give a status update now, ping for review, when it's ready. Thank you for your contributions!

@github-actions github-actions bot added the stale label Jun 1, 2024
Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Extract username from basic auth and forward it to backends
2 participants