Use Envoy Proxy or HA Proxy for authentication using IDP - haproxy

I have a requirement where i need to authenticate external request via IDP. Can this be done using envoy proxy or HA Proxy?

Currently the only way to achieve this is by using the ext_authz filter to send request metadata to an auth server.
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter
There's currently work on implementing an OAuth filter that would work with any OAuth 2.0 compliant IdP but that work is not yet complete (https://github.com/envoyproxy/envoy/issues/8571)

Related

How to configure JWT auth in Envoy Proxy using Okta as provider

I have an app running behind envoy proxy and working on enabling JWT auth for the same using okta. It would be of great help if someone can point me to appropriate example configuration or appropriate document.
I ended up using Gloo's ExtAuth functionality.

Apache Karaf - Authentication and Authorization via Keycloak

I use Apache Karaf 4.x for my rest services. I would like to provide authentication and authorization for my services via Keycloak. I do not want to make direct changes in each service. Instead, I would like to configure karaf in the way that if request is not authenticated then it will forward to keycloak to get a session. or maybe there could be client credentials or bearer token and karaf could check that token before allowing to use the service.
Any help is appreciated.
Thanks in advance

two way SSL using AWS API Gateway

Can we use Two Way SSL feature using AWS API Gateway ? We want to use API Gateway as proxy for kinesis in our real-time streaming application.
Below is my requirement
The client make request to apigateway and apigateway needs to put the data in kinesis streams.
The only way to authenticate the clients is using two way SSL. our clients doesnt support other options.
Currently on-premise F5 loadbalancer does this work for us and we have tomcats running behind F5 placing data into kinesis.
Will i be able to achieve the same using API Gateway ? looks like even aws ELB seems to be not supporting this option.
I have taken a look at below link but this to authenticate API Gateway at server not apigateway authenticating the client.
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
Regards
Kalyan
API Gateway can authenticate itself to your back-end with TLS, as you have found, but it does not work in the opposite direction -- it does not support authenticating clients with TLS.

Does AWS API Gateway Support Basic Authorization?

Is there a way to use Basic authentication rather than AWS4-HMAC-SHA256 authentication with the AWS API Gateway Service? I need to support a system that only supports webhook calls with Basic Authentication.
You just need to modify the 401 Unauthorized response template so that it contains the WWW-Authenticate header set to 'Basic'. Apart from that, you'll need to create a custom authorizer that verifies that the provided credentials are correct. You can find more info here
You can configure an API Gateway to support Basic auth, and API Gateway supports integrations with any AWS service.
Setting up Basic auth in API Gateway requires a few steps. Check this post and search down to BobK#AWS response: https://forums.aws.amazon.com/thread.jspa?messageID=799091&tstart=0

openID connect server with spring-cloud-securiy

we am trying to use open ID connect (OIDC) for authentication and authorization (AnA) for our micro-service architecture based on spring-cloud framework
As a part of requirement we want to achieve following:
Integrate (OIDC) with SSO Federation as a Identity provider which we are using federation to authenticate users (staff id)
How to customize access_token which in turn will be provided by a micro service (Authorization service)
I am looking at MITREid Connect as its based on spring framework and spring security
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
As a resutl of that, all requests to our services have to go through (OIDC) for (AnA)
I also check on https://cloud.spring.io/spring-cloud-security/ as I understand the Zuul server will get an access_token to relay to proxied services. But our scenarios are different as we want to expose other micro-services to external parties as well so that we want to have secure our services.
Any advices is highly appreciated.