Host override via context extension¶
By default, Authorino uses the host information of the HTTP request (Attributes.Http.Host
) to lookup for an indexed AuthConfig to be enforced1. The host info be overridden by supplying a host
entry as a (per-route) context extension (Attributes.ContextExtensions
), which takes precedence whenever present.
Overriding the host attribute of the HTTP request can be useful to support use cases such as of path prefix-based lookup and wildcard subdomains lookup.
⚠️ Important: This feature may not be available to users of Authorino via Kuadrant. |
In this guide:
- Example of host override for path prefix-based lookup
- Example of host override for wildcard subdomain lookup
Example of host override for path prefix-based lookup¶
In this use case, 2 different APIs (i.e. Dogs API and Cats API) are served under the same base domain, and differentiated by the path prefix:
pets.com/dogs
→ Dogs APIpets.com/cats
→ Cats API
Edit the Envoy config to extend the external authorization settings at the level of the routes, with the host
value that will be favored by Authorino before the actual host attribute of the HTTP request:
virtual_hosts:
- name: pets-api
domains: ['pets.com']
routes:
- match:
prefix: /dogs
route:
cluster: dogs-api
typed_per_filter_config:
envoy.filters.http.ext_authz:
\"@type\": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
check_settings:
context_extensions:
host: dogs.pets.com
- match:
prefix: /cats
route:
cluster: cats-api
typed_per_filter_config:
envoy.filters.http.ext_authz:
\"@type\": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
check_settings:
context_extensions:
host: cats.pets.com
Create the AuthConfig for the Pets API:
apiVersion: authorino.kuadrant.io/v1beta3
kind: AuthConfig
metadata:
name: dogs-api-protection
spec:
hosts:
- dogs.pets.com
authentication: [...]
Create the AuthConfig for the Cats API:
apiVersion: authorino.kuadrant.io/v1beta3
kind: AuthConfig
metadata:
name: cats-api-protection
spec:
hosts:
- cats.pets.com
authentication: [...]
Notice that the host subdomains dogs.pets.com
and cats.pets.com
are not really requested by the API consumers. Rather, users send requests to pets.com/dogs
and pets.com/cats
. When routing those requests, Envoy makes sure to inject the corresponding context extensions that will induce the right lookup in Authorino.
Example of host override for wildcard subdomain lookup¶
In this use case, a single Pets API serves requests for any subdomain that matches *.pets.com
, e.g.:
dogs.pets.com
→ Pets APIcats.pets.com
→ Pets API
Edit the Envoy config to extend the external authorization settings at the level of the virtual host, with the host
value that will be favored by Authorino before the actual host attribute of the HTTP request:
virtual_hosts:
- name: pets-api
domains: ['*.pets.com']
typed_per_filter_config:
envoy.filters.http.ext_authz:
\"@type\": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
check_settings:
context_extensions:
host: pets.com
routes:
- match:
prefix: /
route:
cluster: pets-api
The host
context extension used above is any key that matches one of the hosts listed in the targeted AuthConfig.
Create the AuthConfig for the Pets API:
apiVersion: authorino.kuadrant.io/v1beta3
kind: AuthConfig
metadata:
name: pets-api-protection
spec:
hosts:
- pets.com
authentication: [...]
Notice that requests to dogs.pets.com
and to cats.pets.com
are all routed by Envoy to the same API, with same external authorization configuration. in all the cases, Authorino will lookup for the indexed AuthConfig associated with pets.com
. The same is valid for a request sent, e.g., to birds.pets.com
.
-
For further details about Authorino lookup of AuthConfig, check out Host lookup. ↩