Basic auth translation mode

[yyunikov]

Title

Basic auth translation mode

Summary

I'm looking for a way to use basic auth on Gatekeeper proxy using central identity server such as Keycloak:

• Client passes basic auth credentials to Gatekeeper
• Gatekeeper makes a call using Password grant flow to OAuth server to authenticate
• Based on that authentication is either succeeded or failed

Such implementation is available in Keycloak Java adapter with enable-basic-auth flag.

Looking to get some feedback on this.

Why?

Some external solutions don't support OAuth directly, such as Prometheus and therefore there is no way to use one identity server for everything. Such mode would help to integrate more solutions in the same way.

How

This can be added to Gatekeeper in a similar way to Java adapter (e.g. --enable-basic-auth) and optionally support hardcoded username / password. By default it can make a call to OAuth server to verify credentials.

Acceptance criteria

TBD

Additional Information

Similar was requested on OAuth proxy.

[p53]

1. i understand this is simplest solution for integrating e.g. API's (i also made kind of proxy like that for my app...), you don't have to request for any token
2. you can place gatekeeper in authentication proxy mode before prometheus and on client side use forward-signing proxy (with resource owner credential grant setup)
3. Problem might be that proxy in such mode receives everyone credentials

[yyunikov]

@p53 thanks for reply. yes, I've considered forward proxy mode on client side and that would indeed work. though client side setup should be very minimal in our use case, though would be nice to have such option.