Support API Key Auth #2630
Comments
arkodg
added
help wanted
|
blocked on upstream implementation in envoy |
|
@arkodg do you know the upstream implementation envoy tracking? |
|
I think this can be easily implemented by header or query matching right? |
|
cc @zhaohuabing |
|
@arkodg @zufardhiyaulhaq It should be a simple Envoy Filter. I can pick it up when I get some bandwidth. |
|
/assign |
|
API Key Auth is also often related to a set of APIs that is accessible with that Key. Often stored elsewhere to determine if the resource (API) being accessed is allowed to be accessed with this Key. What is the main purpose of this feature? To capture API key values for rate limiting only? Or to do AuthZ enforcement? And how would we differentiate dynamically if an API key is subscribed to a higher rate limit than another API key? |
|
@missBerg it is very essential feature for us stopping the adoption of envoy gateway. The primary idea is to use it as AuthZ. Regarding rate limits - we can support different scenarios. Probably starting from separate rate limit for each API key.
It should not be an issue. When the basic rate limiting would be implemented, complex scenarios could be considered (like common rate limit for API keys from one user). |
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing [email protected] where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) --> This PR adds the API for HTTP APIKey Auth Filter that is proposed at #34877 and envoyproxy/gateway#2630. Commit Message: api: HTTP APIKey Auth Filter Risk Level: Low (only API) Testing: WIP (will be done after we agree on the API) Docs Changes: WIP Release Notes: WIP Platform Specific Features: No Part of: #34877 --------- Signed-off-by: Kensei Nakada <[email protected]> Signed-off-by: wangbaiping(wbpcode) <[email protected]> Co-authored-by: wangbaiping(wbpcode) <[email protected]>
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing [email protected] where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) --> This PR adds the API for HTTP APIKey Auth Filter that is proposed at envoyproxy/envoy#34877 and envoyproxy/gateway#2630. Commit Message: api: HTTP APIKey Auth Filter Risk Level: Low (only API) Testing: WIP (will be done after we agree on the API) Docs Changes: WIP Release Notes: WIP Platform Specific Features: No Part of: #34877 --------- Signed-off-by: Kensei Nakada <[email protected]> Signed-off-by: wangbaiping(wbpcode) <[email protected]> Co-authored-by: wangbaiping(wbpcode) <[email protected]> Mirrored from https://github.com/envoyproxy/envoy @ 72b75074a0ee089ad81f68ae011e31f14c2936fe
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. |
|
looks like the upstream feature is in, is this something we can get in for v1.3 @sanposhiho ? |
|
Yeah, how do we deal with the compatibility between gateway and envoy? Can we just introduce features in gateway with any latest features on envoy side immediately or do we have to wait for envoy to cut a new release? |
|
Okay, I found: So, we can just start this implementation now, do I understand right? |
|
yeah @sanposhiho, gateway |
|
you'll also need to |
The problem is, unlike HTTP Basic Auth, API key auth is much more flexible, the key can be in the header, path, or even body. I think we will need a dedicated envoy filter in Envoy if we want to support API key auth, we can follow the open API specs: https://swagger.io/docs/specification/authentication/api-keys/#:~:text=API%20keys%20are%20supposed%20to,mechanisms%20such%20as%20HTTPS%2FSSL.
Originally posted by @zhaohuabing in #1660 (comment)
The text was updated successfully, but these errors were encountered: