Support for Forward Auth/ External Auth

[lyndon160]

Support for Forward Auth

Summary

Based on the comment from #501, this is a new issue to discuss the capability of forward-auth within Louketo-proxy.

As far as I understand, Louketo proxy partially supports forward auth already, there are multiple related issues and PRs which are related to it: #399 #501 #505 #658 which suggests that multiple users have tried it with mixed results.

Forward auth docs from popular ingresses: https://docs.traefik.io/middlewares/forwardauth/ https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/http/ext_authz/v2/ext_authz.proto

Why?

This enables a separation of concerns, decoupling the proxy from ingress related responsibilities. It also allows for one louketo-proxy to be used to protect multiple upstream services.

This feature is available and is documented in other popular proxies: https://www.pomerium.io/configuration/#forward-auth https://github.com/thomseddon/traefik-forward-auth

How

I think that the upstream URI upstream-url needs to be set as optional in forward-auth mode, as it is not required for the forward auth use case.

I am not clear on what else needs to change to make this compatible.

Acceptance criteria

Using Louketo proxy along with Traefik or Envoy in forward auth mode works as expected (authenticating requests).

One proxy should be able to handle requests for multiple services, aka, an instance is not required for each upstream service being protected.

The process of using forward auth with louketo-proxy should be well documented, preferably with a simple docker-compose example to help users with the initial configuration.