From 54047e062e5a8bd621f20ca167df5ddf7b3c3d5c Mon Sep 17 00:00:00 2001 From: Jason Madigan Date: Tue, 9 Jul 2024 11:38:04 +0100 Subject: [PATCH] markdown links --- docs/user-guides/anonymous-access.md | 15 ++++------- docs/user-guides/api-key-authentication.md | 11 +++----- ...ed-rate-limiting-envoy-dynamic-metadata.md | 14 +++++----- docs/user-guides/authzed.md | 13 +++------ docs/user-guides/caching.md | 19 +++++-------- .../deny-with-redirect-to-login.md | 15 ++++------- ...cation-architecture-festival-wristbands.md | 17 +++++------- .../envoy-jwt-authn-and-authorino.md | 17 +++++------- docs/user-guides/external-metadata.md | 15 ++++------- docs/user-guides/http-basic-authentication.md | 13 +++------ docs/user-guides/injecting-data.md | 13 +++------ .../json-pattern-matching-authorization.md | 13 +++------ .../keycloak-authorization-services.md | 14 ++++------ .../kubernetes-subjectaccessreview.md | 14 ++++------ docs/user-guides/kubernetes-tokenreview.md | 11 +++----- docs/user-guides/mtls-authentication.md | 13 +++------ .../user-guides/oauth2-token-introspection.md | 13 +++------ docs/user-guides/oidc-jwt-authentication.md | 11 +++----- docs/user-guides/oidc-rbac.md | 13 +++------ docs/user-guides/oidc-user-info.md | 15 ++++------- docs/user-guides/opa-authorization.md | 13 +++------ docs/user-guides/passing-credentials.md | 13 +++------ .../resource-level-authorization-uma.md | 15 ++++------- docs/user-guides/sharding.md | 14 ++++------ docs/user-guides/token-normalization.md | 17 +++++------- docs/user-guides/validating-webhook.md | 27 ++++++++----------- 26 files changed, 127 insertions(+), 251 deletions(-) diff --git a/docs/user-guides/anonymous-access.md b/docs/user-guides/anonymous-access.md index 13e54a69..2e6ef2ed 100644 --- a/docs/user-guides/anonymous-access.md +++ b/docs/user-guides/anonymous-access.md @@ -3,17 +3,12 @@ Bypass identity verification or fall back to anonymous access when credentials fail to validate
- - Authorino capabilities featured in this guide: - - - - For further details about Authorino features in general, check the [docs](./../features.md). -
+ Authorino capabilities featured in this guide: -
+ - Identity verification & authentication → [Anonymous access](./../features.md#anonymous-access-authenticationanonymous) + + For further details about Authorino features in general, check the [docs](./../features.md). + ## Requirements diff --git a/docs/user-guides/api-key-authentication.md b/docs/user-guides/api-key-authentication.md index fcf2d899..c37372a7 100644 --- a/docs/user-guides/api-key-authentication.md +++ b/docs/user-guides/api-key-authentication.md @@ -3,12 +3,9 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with your protected hosts.
- - Authorino capabilities featured in this guide: -
    -
  • Identity verification & authentication → API key
  • -
-
+ Authorino capabilities featured in this guide: + + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`. @@ -17,8 +14,6 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with y For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md index 7d03fd5c..fda0d2e5 100644 --- a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md +++ b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md @@ -3,14 +3,12 @@ Provide Envoy with dynamic metadata about the external authorization process to be injected into the rate limiting filter.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Dynamic response → Response wrappers → [Envoy Dynamic Metadata](../features.md#envoy-dynamic-metadata) + - Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) + Dynamic JSON objects built out of static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json) can be wrapped to be returned to the reverse-proxy as Envoy Well Known Dynamic Metadata content. Envoy can use those to inject data returned by the external authorization service into the other filters, such as the rate limiting filter. diff --git a/docs/user-guides/authzed.md b/docs/user-guides/authzed.md index dc5e56ee..e55bce8b 100644 --- a/docs/user-guides/authzed.md +++ b/docs/user-guides/authzed.md @@ -3,16 +3,11 @@ Permission requests sent to a Google Zanzibar-based [Authzed/SpiceDB](https://authzed.com) instance, via gRPC.
- - Authorino capabilities featured in this guide: -
    -
  • Authorization → SpiceDB
  • -
  • Identity verification & authentication → API key
  • -
-
-
+ Authorino capabilities featured in this guide -
+ - Authorization → [SpiceDB](../features.md#spicedb-authorizationspicedb) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) +
## Requirements diff --git a/docs/user-guides/caching.md b/docs/user-guides/caching.md index 001fe9b5..37975095 100644 --- a/docs/user-guides/caching.md +++ b/docs/user-guides/caching.md @@ -17,22 +17,17 @@ Cases where one will **NOT** want to enable caching, due to relatively cheap com - Anonymous access
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Common feature → [Caching](../features.md#common-feature-caching-cache) + - Identity verification & authentication → [Anonymous access](../features.md#anonymous-access-authenticationanonymous) + - External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) + - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) + - Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson) For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/deny-with-redirect-to-login.md b/docs/user-guides/deny-with-redirect-to-login.md index b0ebbe0e..c50aa012 100644 --- a/docs/user-guides/deny-with-redirect-to-login.md +++ b/docs/user-guides/deny-with-redirect-to-login.md @@ -3,14 +3,11 @@ Customize response status code and headers on failed requests to redirect users of a web application protected with Authorino to a login page instead of a `401 Unauthorized`.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Dynamic response → [Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) Authorino's default response status codes, messages and headers for unauthenticated (`401`) and unauthorized (`403`) requests can be customized with static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json). @@ -19,8 +16,6 @@ Customize response status code and headers on failed requests to redirect users For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md index 95ae37c3..bf15c059 100644 --- a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md +++ b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md @@ -11,15 +11,12 @@ The very definition of "edge" is subject to discussion, but the underlying idea As a minimum, EAA allows to simplify authentication between applications and microservices inside the network, as well as to reduce authorization to domain-specific rules and policies, rather than having to deal all the complexity to support all types of clients in every node.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Dynamic response → [Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) + - Identity verification & authentication → [Identity extension](../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) Festival Wristbands are OpenID Connect ID tokens (signed JWTs) issued by Authorino by the end of the Auth Pipeline, for authorized requests. It can be configured to include claims based on static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json). @@ -28,8 +25,6 @@ As a minimum, EAA allows to simplify authentication between applications and mic For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/envoy-jwt-authn-and-authorino.md b/docs/user-guides/envoy-jwt-authn-and-authorino.md index 640f3537..50113458 100644 --- a/docs/user-guides/envoy-jwt-authn-and-authorino.md +++ b/docs/user-guides/envoy-jwt-authn-and-authorino.md @@ -9,21 +9,16 @@ The policy defines a geo-fence by which only requests originated in Great Britai All requests to the Talker API will be authenticated in Envoy. However, requests to `/global` will **not** trigger the external authorization.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [Plain](../features.md#plain-authenticationplain) + - External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + - Dynamic response → [Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized) For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/external-metadata.md b/docs/user-guides/external-metadata.md index 3635f269..35151d4b 100644 --- a/docs/user-guides/external-metadata.md +++ b/docs/user-guides/external-metadata.md @@ -3,14 +3,11 @@ Get online data from remote HTTP services to enhance authorization rules.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) + - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) You can configure Authorino to fetch additional metadata from external sources in request-time, by sending either GET or POST request to an HTTP service. The service is expected to return a JSON content which is appended to the [Authorization JSON](../architecture.md#the-authorization-json), thus becoming available for usage in other configs of the Auth Pipeline, such as in authorization policies or custom responses. @@ -21,8 +18,6 @@ Get online data from remote HTTP services to enhance authorization rules. For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/http-basic-authentication.md b/docs/user-guides/http-basic-authentication.md index 15296fc9..5b3644f0 100644 --- a/docs/user-guides/http-basic-authentication.md +++ b/docs/user-guides/http-basic-authentication.md @@ -3,13 +3,10 @@ Turn Authorino API key `Secret`s settings into HTTP basic auth.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) HTTP "Basic" Authentication ([RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235)) is not recommended if you can afford other more secure methods such as OpenID Connect. To support legacy nonetheless it is sometimes necessary to implement it. @@ -20,8 +17,6 @@ Turn Authorino API key `Secret`s settings into HTTP basic auth. For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/injecting-data.md b/docs/user-guides/injecting-data.md index 63e1a8f4..356a9e5e 100644 --- a/docs/user-guides/injecting-data.md +++ b/docs/user-guides/injecting-data.md @@ -3,13 +3,10 @@ Inject HTTP headers with serialized JSON content.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) Inject serialized custom JSON objects as HTTP request headers. Values can be static or fetched from the [Authorization JSON](../architecture.md#the-authorization-json). @@ -18,8 +15,6 @@ Inject HTTP headers with serialized JSON content. For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/json-pattern-matching-authorization.md b/docs/user-guides/json-pattern-matching-authorization.md index 90dcfe6e..cae98d02 100644 --- a/docs/user-guides/json-pattern-matching-authorization.md +++ b/docs/user-guides/json-pattern-matching-authorization.md @@ -3,13 +3,10 @@ Write simple authorization rules based on JSON patterns matched against Authorino's Authorization JSON; check contextual information of the request, validate JWT claims, cross metadata fetched from external sources, etc.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) Authorino provides a built-in authorization module to check simple pattern-matching rules against the [Authorization JSON](../architecture.md#the-authorization-json). This is an alternative to [OPA](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) when all you want is to check for some simple rules, without complex logics, such as match the value of a JWT claim. @@ -18,8 +15,6 @@ Write simple authorization rules based on JSON patterns matched against Authorin For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/keycloak-authorization-services.md b/docs/user-guides/keycloak-authorization-services.md index 231494e6..3b03f743 100644 --- a/docs/user-guides/keycloak-authorization-services.md +++ b/docs/user-guides/keycloak-authorization-services.md @@ -5,19 +5,15 @@ Keycloak provides a powerful set of tools (REST endpoints and administrative UIs This user guide is an example of how to use Authorino as an adapter to Keycloak Authorization Services while still relying on the reverse-proxy integration pattern, thus not involving importing an authorization library nor rebuilding the application's code.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) + - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) + For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/kubernetes-subjectaccessreview.md b/docs/user-guides/kubernetes-subjectaccessreview.md index 43fd36c9..a4578dbd 100644 --- a/docs/user-guides/kubernetes-subjectaccessreview.md +++ b/docs/user-guides/kubernetes-subjectaccessreview.md @@ -3,13 +3,11 @@ Manage permissions in the Kubernetes RBAC and let Authorino to check them in request-time with the authorization system of the cluster.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Authorization → [Kubernetes SubjectAccessReview](../features.md#kubernetes-subjectaccessreview-authorizationkubernetessubjectaccessreview) + - Identity verification & authentication → [Kubernetes TokenReview](../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview) + Authorino can delegate authorization decision to the Kubernetes authorization system, allowing permissions to be stored and managed using the Kubernetes Role-Based Access Control (RBAC) for example. The feature is based on the `SubjectAccessReview` API and can be used for `resourceAttributes` (parameters defined in the `AuthConfig`) or `nonResourceAttributes` (inferring HTTP path and verb from the original request). @@ -18,8 +16,6 @@ Manage permissions in the Kubernetes RBAC and let Authorino to check them in req For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) and to create `TokenRequest`s (to consume the protected service from outside the cluster) diff --git a/docs/user-guides/kubernetes-tokenreview.md b/docs/user-guides/kubernetes-tokenreview.md index a70caa9f..bb841577 100644 --- a/docs/user-guides/kubernetes-tokenreview.md +++ b/docs/user-guides/kubernetes-tokenreview.md @@ -3,12 +3,9 @@ Validate Kubernetes Service Account tokens to authenticate requests to your protected hosts.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [Kubernetes TokenReview](../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview) Authorino can verify Kubernetes-valid access tokens (using Kubernetes [TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1) API). @@ -19,8 +16,6 @@ Validate Kubernetes Service Account tokens to authenticate requests to your prot For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) and to create `TokenRequest`s (to consume the protected service from outside the cluster) diff --git a/docs/user-guides/mtls-authentication.md b/docs/user-guides/mtls-authentication.md index 617cdf5f..62932913 100644 --- a/docs/user-guides/mtls-authentication.md +++ b/docs/user-guides/mtls-authentication.md @@ -3,13 +3,10 @@ Verify client X.509 certificates against trusted root CAs stored in Kubernetes `Secret`s to authenticate access to APIs protected with Authorino.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [X.509 client certificate authentication](../features.md#x509-client-certificate-authentication-authenticationx509) + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) Authorino can verify x509 certificates presented by clients for authentication on the request to the protected APIs, at application level. @@ -18,8 +15,6 @@ Verify client X.509 certificates against trusted root CAs stored in Kubernetes ` For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/oauth2-token-introspection.md b/docs/user-guides/oauth2-token-introspection.md index 4980a0c0..9df50786 100644 --- a/docs/user-guides/oauth2-token-introspection.md +++ b/docs/user-guides/oauth2-token-introspection.md @@ -3,13 +3,10 @@ Introspect OAuth 2.0 access tokens (e.g. opaque tokens) for online user data and token validation in request-time.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [OAuth 2.0 introspection](../features.md#oauth-20-introspection-authenticationoauth2introspection) + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) Authorino can perform OAuth 2.0 token introspection ([RFC 7662](https://tools.ietf.org/html/rfc7662)) on the access tokens supplied in the requests to protected APIs. This is particularly useful when using opaque tokens, for remote checking the token validity and resolving the identity object. @@ -20,8 +17,6 @@ Introspect OAuth 2.0 access tokens (e.g. opaque tokens) for online user data and For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/oidc-jwt-authentication.md b/docs/user-guides/oidc-jwt-authentication.md index 62bd3255..1803d051 100644 --- a/docs/user-guides/oidc-jwt-authentication.md +++ b/docs/user-guides/oidc-jwt-authentication.md @@ -3,12 +3,9 @@ Validate JSON Web Tokens (JWT) issued and signed by an OpenID Connect server; leverage OpenID Connect Discovery to automatically fetch JSON Web Key Sets (JWKS).
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) Authorino validates JSON Web Tokens (JWT) issued by an OpenID Connect server that implements OpenID Connect Discovery. Authorino fetches the OpenID Connect configuration and JSON Web Key Set (JWKS) from the issuer endpoint, and verifies the JSON Web Signature (JWS) and time validity of the token. @@ -17,8 +14,6 @@ Validate JSON Web Tokens (JWT) issued and signed by an OpenID Connect server; le For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/oidc-rbac.md b/docs/user-guides/oidc-rbac.md index 29a54357..e4742847 100644 --- a/docs/user-guides/oidc-rbac.md +++ b/docs/user-guides/oidc-rbac.md @@ -5,21 +5,16 @@ Combine OpenID Connect (OIDC) authentication and Role-Based Access Control (RBAC In this user guide, you will learn via example how to implement a simple Role-Based Access Control (RBAC) system to protect endpoints of an API, with roles assigned to users of an Identity Provider (Keycloak) and carried within the access tokens as JSON Web Token (JWT) claims. Users authenticate with the IdP via OAuth2/OIDC flow and get their access tokens verified and validated by Authorino on every request. Moreover, Authorino reads the role bindings of the user and enforces the proper RBAC rules based upon the context.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) Check out as well the user guides about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Simple pattern-matching authorization policies](json-pattern-matching-authorization.md). For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/oidc-user-info.md b/docs/user-guides/oidc-user-info.md index 1e1bcd8b..18e56cb1 100644 --- a/docs/user-guides/oidc-user-info.md +++ b/docs/user-guides/oidc-user-info.md @@ -3,14 +3,11 @@ Fetch user info for OpenID Connect ID tokens in request-time for extra metadata for your policies and online verification of token validity.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - External auth metadata → [OIDC UserInfo](../features.md#oidc-userinfo-metadatauserinfo) + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) Apart from possibly complementing information of the JWT, fetching OpenID Connect UserInfo in request-time can be particularly useful for remote checking the state of the session, as opposed to only verifying the JWT/JWS offline. Implementation requires an OpenID Connect issuer ([`spec.identity.oidc`](#openid-connect-oidc-jwtjose-verification-and-validation-identityoidc)) configured in the same `AuthConfig`. @@ -19,8 +16,6 @@ Fetch user info for OpenID Connect ID tokens in request-time for extra metadata For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/opa-authorization.md b/docs/user-guides/opa-authorization.md index 83d66f56..c5cd8a4c 100644 --- a/docs/user-guides/opa-authorization.md +++ b/docs/user-guides/opa-authorization.md @@ -3,13 +3,10 @@ Leverage the power of Open Policy Agent (OPA) policies, evaluated against Authorino's Authorization JSON in a built-in runtime compiled together with Authorino; pre-cache policies defined in Rego language inline or fetched from an external policy registry.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) Authorino supports [Open Policy Agent](https://www.openpolicyagent.org) policies, either inline defined in [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language) as part of the `AuthConfig` or fetched from an external endpoint, such as an OPA Policy Registry. @@ -20,8 +17,6 @@ Leverage the power of Open Policy Agent (OPA) policies, evaluated against Author For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/passing-credentials.md b/docs/user-guides/passing-credentials.md index 6d9afbbf..cdd0a1b3 100644 --- a/docs/user-guides/passing-credentials.md +++ b/docs/user-guides/passing-credentials.md @@ -3,13 +3,10 @@ Customize where credentials are supplied in the request by each trusted source of identity.
- - Authorino capabilities featured in this guide: -
    -
  • Identity verification & authentication → Auth credentials
  • -
  • Identity verification & authentication → API key
  • -
-
+ Authorino capabilities featured in this guide + + - Identity verification & authentication →[Auth credentials](../features.md#extra-auth-credentials-authenticationcredentials) + - Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) Authentication tokens can be supplied in the `Authorization` header, in a custom header, cookie or query string parameter. @@ -18,8 +15,6 @@ Customize where credentials are supplied in the request by each trusted source o For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/resource-level-authorization-uma.md b/docs/user-guides/resource-level-authorization-uma.md index f66f178f..84a6dae1 100644 --- a/docs/user-guides/resource-level-authorization-uma.md +++ b/docs/user-guides/resource-level-authorization-uma.md @@ -3,22 +3,17 @@ Fetch resource metadata relevant for your authorization policies from Keycloak authorization clients, using User-Managed Access (UMA) protocol.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - External auth metadata → [User-Managed Access (UMA) resource registry](../features.md#user-managed-access-uma-resource-registry-metadatauma) + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) + - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) Check out as well the user guides about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Open Policy Agent (OPA) Rego policies](opa-authorization.md). For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/sharding.md b/docs/user-guides/sharding.md index f42b9b0d..9f403d6d 100644 --- a/docs/user-guides/sharding.md +++ b/docs/user-guides/sharding.md @@ -19,20 +19,16 @@ By default, Authorino will watch events related to all `AuthConfig` custom resou
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - [Sharding](https://docs.kuadrant.io/authorino/docs/architecture#sharding) + - Identity verification & authentication →[API key](https://docs.kuadrant.io/authorino/docs/features#api-key-authenticationapikey) + Check out as well the user guide about [Authentication with API keys](api-key-authentication.md). For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/token-normalization.md b/docs/user-guides/token-normalization.md index 472da5fd..6ea5eda9 100644 --- a/docs/user-guides/token-normalization.md +++ b/docs/user-guides/token-normalization.md @@ -9,23 +9,18 @@ This user guide focuses on the aspect of mutation of the identity claims resolve For not only normalizing the identity claims for purpose of writing simpler authorization checks and policies, but also getting Authorino to issue a new token in a normalized format, check the [Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) feature.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [Identity extension](../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) + - Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt) + - Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) Check out as well the user guides about [Authentication with API keys](api-key-authentication.md), [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Simple pattern-matching authorization policies](json-pattern-matching-authorization.md). For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC) diff --git a/docs/user-guides/validating-webhook.md b/docs/user-guides/validating-webhook.md index 90e2e428..3fbda19c 100644 --- a/docs/user-guides/validating-webhook.md +++ b/docs/user-guides/validating-webhook.md @@ -7,26 +7,21 @@ The rules to validate a request to the Kubernetes API – typically a `POST`, `P This user guide provides an example of using Authorino as a Kubernetes ValidatingWebhook service that validates requests to `CREATE` and `UPDATE` Authorino `AuthConfig` resources. In other words, we will use Authorino as a validator inside the cluster that decides what is a valid AuthConfig for any application which wants to rely on Authorino to protect itself.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + + - Identity verification & authentication → [Plain](../features.md#plain-authenticationplain) + - Identity verification & authentication → [Kubernetes TokenReview](../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview) + - Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey) + - External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) + - Authorization → [Kubernetes SubjectAccessReview](../features.md#kubernetes-subjectaccessreview-authorizationkubernetessubjectaccessreview) + - Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) + - Dynamic response → [Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) + - Common feature → [Conditions](../features.md#common-feature-conditions-when) + - Common feature → [Priorities](../features.md#common-feature-priorities) For further details about Authorino features in general, check the [docs](../features.md).
-
- ## Requirements - Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)