diff --git a/docs/developer/decision-records/2024-06-24-api-authentication-configuration/README.md b/docs/developer/decision-records/2024-06-24-api-authentication-configuration/README.md new file mode 100644 index 00000000000..1d886ace7b1 --- /dev/null +++ b/docs/developer/decision-records/2024-06-24-api-authentication-configuration/README.md @@ -0,0 +1,54 @@ +# Api Authentication Configuration + +## Decision + +A new extension will be introduced for configuring the `ApiAuthenticationRegistry` + +## Rationale + +Recently, the `ApiAuthenticationRegistry` was introduced for associating a web context to a `AuthenticationService` in +order to use different auth mechanism for different contexts. Currently though, this association is expressed +in each `AuthenticationService` extension, which makes ti difficult to apply an `AuthenticationService` to a different +context compared to the current hardcoded one. + +## Approach + +Each implementor of `AuthenticationService` will also implement an `ApiAuthenticationProvider` which will provide an +instance of `AuthenticationService` based on the input configuration. + +```java +public interface ApiAuthenticationProvider { + + Result provide(Config config); +} +``` + +Those providers can be registered in a registry `ApiAuthenticationProviderRegistry`, associated with the auth type ( +basic,token, delegated, ...) + +```java +public interface ApiAuthenticationProviderRegistry { + + void register(String type, ApiAuthenticationProvider provider); + + Result resolve(String type); +} +``` + +Then the new extension, leveraging the partition mechanism of EDC `web.http` config, will configure the association +between the context and the auth type in the prepare phase. + +For example if a user wants to configure the `TokenBasedAuthenticationService` for the `management` context, a +configuration like this could be used: + +``` +web.http.management.auth.type=tokenbased +web.http.management.auth.key.alias=vaultAlias +``` + +For each web context the extension will read the `auth.type` if present, and will invoke the provider for that type with +the input configuration, associating then the created instance with the configured `context` in +the `ApiAuthenticationRegistry`. + +> For backward compatibility we will leave in place the current hardcoded association +> context <-> `AuthenticationService` diff --git a/docs/developer/decision-records/README.md b/docs/developer/decision-records/README.md index 9f1d76dcd6e..62f3fec6a5d 100644 --- a/docs/developer/decision-records/README.md +++ b/docs/developer/decision-records/README.md @@ -56,3 +56,4 @@ - [2023-12-19 Token Handling Refactor](./2023-12-19-token-handling-refactor/) - [2024-01-12 Dynamic Constraint Functions](./2024-01-12-dynamic-constraint-functions/) - [2024-05-24 Dataplane Selection Improvements](./2024-05-24-dataplane-selection-improvements/) +- [2024-06-24 Api Authentication Configuration](./2024-06-24-api-authentication-configuration/)