kedge: Implement auth per route logic

Question

kedge: Implement auth per route logic

bwplotka opened this issue 7 years ago · 0 comments

There are some strong use cases to give fine-grained control over what permissions are needed for each individual route.

For OIDC it will be just expected permissions per certain route
For TLS certs - expected metadata

Preferably, it would be a separate layer before proper routing. We don't want to mix mapping with authorizing the request. Instead, we want to isolate potential auth bugs (up for discussion).

However, there are some specific arguments not to do it though.

Encourage additional auth per service. is easier to separate logic here and to not use kedge as default auth layer for service. (however, as an example, Nginx is doing exactly that)
Difficulty in maintenance and configuration of these auths per route.

Nevertheless, we can consider doing it if needed.