From 34f7cff2ebe20475deace80f8b737b27bb36809e Mon Sep 17 00:00:00 2001 From: Jason Madigan Date: Tue, 9 Jul 2024 10:40:54 +0100 Subject: [PATCH] markdown links in summary blocks --- docs/user-guides/anonymous-access.md | 12 +++------ docs/user-guides/api-key-authentication.md | 8 ++---- ...ed-rate-limiting-envoy-dynamic-metadata.md | 12 +++------ docs/user-guides/authzed.md | 10 +++----- docs/user-guides/caching.md | 20 ++++++--------- .../deny-with-redirect-to-login.md | 12 +++------ ...cation-architecture-festival-wristbands.md | 14 ++++------- .../envoy-jwt-authn-and-authorino.md | 18 ++++++------- docs/user-guides/external-metadata.md | 20 ++++++--------- docs/user-guides/http-basic-authentication.md | 11 +++----- docs/user-guides/injecting-data.md | 11 +++----- .../json-pattern-matching-authorization.md | 11 +++----- .../keycloak-authorization-services.md | 11 +++----- .../kubernetes-subjectaccessreview.md | 16 +++++------- docs/user-guides/kubernetes-tokenreview.md | 9 +++---- docs/user-guides/mtls-authentication.md | 11 +++----- .../user-guides/oauth2-token-introspection.md | 11 +++----- docs/user-guides/observability.md | 13 +++++----- docs/user-guides/oidc-jwt-authentication.md | 9 +++---- docs/user-guides/oidc-rbac.md | 11 +++----- docs/user-guides/oidc-user-info.md | 13 ++++------ docs/user-guides/opa-authorization.md | 11 +++----- docs/user-guides/passing-credentials.md | 11 +++----- .../resource-level-authorization-uma.md | 13 ++++------ docs/user-guides/sharding.md | 11 +++----- docs/user-guides/token-normalization.md | 15 +++++------ docs/user-guides/validating-webhook.md | 25 ++++++++----------- 27 files changed, 130 insertions(+), 219 deletions(-) diff --git a/docs/user-guides/anonymous-access.md b/docs/user-guides/anonymous-access.md index 13e54a69..e1080454 100644 --- a/docs/user-guides/anonymous-access.md +++ b/docs/user-guides/anonymous-access.md @@ -3,14 +3,10 @@ Bypass identity verification or fall back to anonymous access when credentials fail to validate
- - Authorino capabilities featured in this guide: - - - - For further details about Authorino features in general, check the [docs](./../features.md). + Authorino capabilities featured in this guide + - Identity verification & authentication →[Anonymous access](./../features.md#anonymous-access-authenticationanonymous) + + For further details about Authorino features in general, check the [docs](./../features.md).

diff --git a/docs/user-guides/api-key-authentication.md b/docs/user-guides/api-key-authentication.md index fcf2d899..e7de9cc3 100644 --- a/docs/user-guides/api-key-authentication.md +++ b/docs/user-guides/api-key-authentication.md @@ -3,12 +3,8 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with your protected hosts.
- - Authorino capabilities featured in this guide: -
    -
  • Identity verification & authentication → API key
    • -
- + Authorino capabilities featured in this guide + - Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`. diff --git a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md index 7d03fd5c..8d0f82cb 100644 --- a/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md +++ b/docs/user-guides/authenticated-rate-limiting-envoy-dynamic-metadata.md @@ -3,14 +3,10 @@ Provide Envoy with dynamic metadata about the external authorization process to be injected into the rate limiting filter.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + - Dynamic response → Response wrappers →[Envoy Dynamic Metadata](../features.md#envoy-dynamic-metadata) + - Dynamic response →[JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson) + - Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) Dynamic JSON objects built out of static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json) can be wrapped to be returned to the reverse-proxy as Envoy Well Known Dynamic Metadata content. Envoy can use those to inject data returned by the external authorization service into the other filters, such as the rate limiting filter. diff --git a/docs/user-guides/authzed.md b/docs/user-guides/authzed.md index dc5e56ee..537ee312 100644 --- a/docs/user-guides/authzed.md +++ b/docs/user-guides/authzed.md @@ -3,13 +3,9 @@ Permission requests sent to a Google Zanzibar-based [Authzed/SpiceDB](https://authzed.com) instance, via gRPC.
- - Authorino capabilities featured in this guide: -
    -
  • Authorization → SpiceDB
    • -
  • Identity verification & authentication → API key
    • -
- + Authorino capabilities featured in this guide + - Authorization →[SpiceDB](../features.md#spicedb-authorizationspicedb) + - Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey)

diff --git a/docs/user-guides/caching.md b/docs/user-guides/caching.md index 001fe9b5..13e59255 100644 --- a/docs/user-guides/caching.md +++ b/docs/user-guides/caching.md @@ -17,18 +17,14 @@ Cases where one will **NOT** want to enable caching, due to relatively cheap com - Anonymous access
- - Authorino capabilities featured in this guide: - - - - For further details about Authorino features in general, check the [docs](../features.md). + Authorino capabilities featured in this guide + - Common feature →[Caching](../features.md#common-feature-caching-cache) + - Identity verification & authentication →[Anonymous access](../features.md#anonymous-access-authenticationanonymous) + - External auth metadata →[HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) + - Authorization →[Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) + - Dynamic response →[JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson) + + For further details about Authorino features in general, check the [docs](../features.md).

diff --git a/docs/user-guides/deny-with-redirect-to-login.md b/docs/user-guides/deny-with-redirect-to-login.md index b0ebbe0e..59158592 100644 --- a/docs/user-guides/deny-with-redirect-to-login.md +++ b/docs/user-guides/deny-with-redirect-to-login.md @@ -3,14 +3,10 @@ Customize response status code and headers on failed requests to redirect users of a web application protected with Authorino to a login page instead of a `401 Unauthorized`.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + - Dynamic response →[Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized) + - Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) + - Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) Authorino's default response status codes, messages and headers for unauthenticated (`401`) and unauthorized (`403`) requests can be customized with static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json). diff --git a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md index 95ae37c3..4f4893a4 100644 --- a/docs/user-guides/edge-authentication-architecture-festival-wristbands.md +++ b/docs/user-guides/edge-authentication-architecture-festival-wristbands.md @@ -11,15 +11,11 @@ The very definition of "edge" is subject to discussion, but the underlying idea As a minimum, EAA allows to simplify authentication between applications and microservices inside the network, as well as to reduce authorization to domain-specific rules and policies, rather than having to deal all the complexity to support all types of clients in every node.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + - Dynamic response →[Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) + - Identity verification & authentication →[Identity extension](../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides) + - Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) + - Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) Festival Wristbands are OpenID Connect ID tokens (signed JWTs) issued by Authorino by the end of the Auth Pipeline, for authorized requests. It can be configured to include claims based on static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json). diff --git a/docs/user-guides/envoy-jwt-authn-and-authorino.md b/docs/user-guides/envoy-jwt-authn-and-authorino.md index 640f3537..b4bd39ed 100644 --- a/docs/user-guides/envoy-jwt-authn-and-authorino.md +++ b/docs/user-guides/envoy-jwt-authn-and-authorino.md @@ -9,17 +9,13 @@ The policy defines a geo-fence by which only requests originated in Great Britai All requests to the Talker API will be authenticated in Envoy. However, requests to `/global` will **not** trigger the external authorization.
- - Authorino capabilities featured in this guide: - - - - For further details about Authorino features in general, check the [docs](../features.md). + Authorino capabilities featured in this guide + - Identity verification & authentication →[Plain](../features.md#plain-authenticationplain) + - External auth metadata →[HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) + - Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + - Dynamic response →[Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized) + + For further details about Authorino features in general, check the [docs](../features.md).

diff --git a/docs/user-guides/external-metadata.md b/docs/user-guides/external-metadata.md index 3635f269..532a66c9 100644 --- a/docs/user-guides/external-metadata.md +++ b/docs/user-guides/external-metadata.md @@ -3,22 +3,18 @@ Get online data from remote HTTP services to enhance authorization rules.
- - Authorino capabilities featured in this guide: - - + Authorino capabilities featured in this guide + - External auth metadata →[HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) + - Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) + - Authorization →[Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) - You can configure Authorino to fetch additional metadata from external sources in request-time, by sending either GET or POST request to an HTTP service. The service is expected to return a JSON content which is appended to the [Authorization JSON](../architecture.md#the-authorization-json), thus becoming available for usage in other configs of the Auth Pipeline, such as in authorization policies or custom responses. + You can configure Authorino to fetch additional metadata from external sources in request-time, by sending either GET or POST request to an HTTP service. The service is expected to return a JSON content which is appended to the [Authorization JSON](../architecture.md#the-authorization-json), thus becoming available for usage in other configs of the Auth Pipeline, such as in authorization policies or custom responses. - URL, parameters and headers of the request to the external source of metadata can be configured, including with dynamic values. Authentication between Authorino and the service can be set as part of these configuration options, or based on shared authentication token stored in a Kubernetes `Secret`. + URL, parameters and headers of the request to the external source of metadata can be configured, including with dynamic values. Authentication between Authorino and the service can be set as part of these configuration options, or based on shared authentication token stored in a Kubernetes `Secret`. - Check out as well the user guides about [Authentication with API keys](api-key-authentication.md) and [Open Policy Agent (OPA) Rego policies](opa-authorization.md). + Check out as well the user guides about [Authentication with API keys](api-key-authentication.md) and [Open Policy Agent (OPA) Rego policies](opa-authorization.md). - For further details about Authorino features in general, check the [docs](../features.md). + For further details about Authorino features in general, check the [docs](../features.md).

diff --git a/docs/user-guides/http-basic-authentication.md b/docs/user-guides/http-basic-authentication.md index 15296fc9..b0175e77 100644 --- a/docs/user-guides/http-basic-authentication.md +++ b/docs/user-guides/http-basic-authentication.md @@ -3,13 +3,10 @@ Turn Authorino API key `Secret`s settings into HTTP basic auth.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) +- Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + HTTP "Basic" Authentication ([RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235)) is not recommended if you can afford other more secure methods such as OpenID Connect. To support legacy nonetheless it is sometimes necessary to implement it. diff --git a/docs/user-guides/injecting-data.md b/docs/user-guides/injecting-data.md index 63e1a8f4..c500cff5 100644 --- a/docs/user-guides/injecting-data.md +++ b/docs/user-guides/injecting-data.md @@ -3,13 +3,10 @@ Inject HTTP headers with serialized JSON content.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Dynamic response →[JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson) +- Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) + Inject serialized custom JSON objects as HTTP request headers. Values can be static or fetched from the [Authorization JSON](../architecture.md#the-authorization-json). diff --git a/docs/user-guides/json-pattern-matching-authorization.md b/docs/user-guides/json-pattern-matching-authorization.md index 90dcfe6e..4b5b2871 100644 --- a/docs/user-guides/json-pattern-matching-authorization.md +++ b/docs/user-guides/json-pattern-matching-authorization.md @@ -3,13 +3,10 @@ Write simple authorization rules based on JSON patterns matched against Authorino's Authorization JSON; check contextual information of the request, validate JWT claims, cross metadata fetched from external sources, etc.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) +- Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) + Authorino provides a built-in authorization module to check simple pattern-matching rules against the [Authorization JSON](../architecture.md#the-authorization-json). This is an alternative to [OPA](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) when all you want is to check for some simple rules, without complex logics, such as match the value of a JWT claim. diff --git a/docs/user-guides/keycloak-authorization-services.md b/docs/user-guides/keycloak-authorization-services.md index 231494e6..9bc8d95f 100644 --- a/docs/user-guides/keycloak-authorization-services.md +++ b/docs/user-guides/keycloak-authorization-services.md @@ -5,13 +5,10 @@ Keycloak provides a powerful set of tools (REST endpoints and administrative UIs This user guide is an example of how to use Authorino as an adapter to Keycloak Authorization Services while still relying on the reverse-proxy integration pattern, thus not involving importing an authorization library nor rebuilding the application's code.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) +- Authorization →[Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) + For further details about Authorino features in general, check the [docs](../features.md).
diff --git a/docs/user-guides/kubernetes-subjectaccessreview.md b/docs/user-guides/kubernetes-subjectaccessreview.md index 43fd36c9..d1a25df8 100644 --- a/docs/user-guides/kubernetes-subjectaccessreview.md +++ b/docs/user-guides/kubernetes-subjectaccessreview.md @@ -3,13 +3,10 @@ Manage permissions in the Kubernetes RBAC and let Authorino to check them in request-time with the authorization system of the cluster.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Authorization →[Kubernetes SubjectAccessReview](../features.md#kubernetes-subjectaccessreview-authorizationkubernetessubjectaccessreview) +- Identity verification & authentication →[Kubernetes TokenReview](../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview) + Authorino can delegate authorization decision to the Kubernetes authorization system, allowing permissions to be stored and managed using the Kubernetes Role-Based Access Control (RBAC) for example. The feature is based on the `SubjectAccessReview` API and can be used for `resourceAttributes` (parameters defined in the `AuthConfig`) or `nonResourceAttributes` (inferring HTTP path and verb from the original request). @@ -310,9 +307,8 @@ kubectl run speaker --attach --rm --restart=Never -q --image=quay.io/kuadrant/au ```
- Extra: consume the API as service account api-consumer-2 from outside the cluster - -
+Extra: consume the API as service accountapi-consumer-2fromoutsidethe cluster +
Obtain a short-lived access token for service account `api-consumer-2`, bound to the `talker-api-greeter` cluster role in the Kubernetes RBAC, using the Kubernetes TokenRequest API: diff --git a/docs/user-guides/kubernetes-tokenreview.md b/docs/user-guides/kubernetes-tokenreview.md index a70caa9f..89b6677c 100644 --- a/docs/user-guides/kubernetes-tokenreview.md +++ b/docs/user-guides/kubernetes-tokenreview.md @@ -3,12 +3,9 @@ Validate Kubernetes Service Account tokens to authenticate requests to your protected hosts.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[Kubernetes TokenReview](../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview) + Authorino can verify Kubernetes-valid access tokens (using Kubernetes [TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1) API). diff --git a/docs/user-guides/mtls-authentication.md b/docs/user-guides/mtls-authentication.md index 617cdf5f..1687cd30 100644 --- a/docs/user-guides/mtls-authentication.md +++ b/docs/user-guides/mtls-authentication.md @@ -3,13 +3,10 @@ Verify client X.509 certificates against trusted root CAs stored in Kubernetes `Secret`s to authenticate access to APIs protected with Authorino.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[X.509 client certificate authentication](../features.md#x509-client-certificate-authentication-authenticationx509) +- Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + Authorino can verify x509 certificates presented by clients for authentication on the request to the protected APIs, at application level. diff --git a/docs/user-guides/oauth2-token-introspection.md b/docs/user-guides/oauth2-token-introspection.md index 4980a0c0..585d8761 100644 --- a/docs/user-guides/oauth2-token-introspection.md +++ b/docs/user-guides/oauth2-token-introspection.md @@ -3,13 +3,10 @@ Introspect OAuth 2.0 access tokens (e.g. opaque tokens) for online user data and token validation in request-time.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[OAuth 2.0 introspection](../features.md#oauth-20-introspection-authenticationoauth2introspection) +- Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + Authorino can perform OAuth 2.0 token introspection ([RFC 7662](https://tools.ietf.org/html/rfc7662)) on the access tokens supplied in the requests to protected APIs. This is particularly useful when using opaque tokens, for remote checking the token validity and resolving the identity object. diff --git a/docs/user-guides/observability.md b/docs/user-guides/observability.md index 21bd330c..5dac788f 100644 --- a/docs/user-guides/observability.md +++ b/docs/user-guides/observability.md @@ -233,7 +233,7 @@ The [Authorino Operator](https://github.com/kuadrant/authorino-operator) creates 2 Opt-in metrics: auth_server_evaluator_* metrics require authconfig.spec.(identity|metadata|authorization|response).metrics: true (default: false). This can be enforced for the entire instance (all AuthConfigs and evaluators), by setting the --deep-metrics-enabled command-line flag in the Authorino deployment.
- Example of metrics exported at the /metrics endpoint +Example of metrics exported at the/metricsendpoint ```ini # HELP controller_runtime_active_workers Number of currently used workers per controller @@ -652,7 +652,7 @@ The [Authorino Operator](https://github.com/kuadrant/authorino-operator) creates
- Example of metrics exported at the /server-metrics endpoint +Example of metrics exported at the/server-metricsendpoint ```ini # HELP auth_server_authconfig_duration_seconds Response latency of authconfig enforced by the auth server (in seconds). @@ -1238,7 +1238,7 @@ Some log messages printed by Authorino and corresponding extra values included: The examples below are all with `--log-level=debug` and `--log-mode=production`.
- Booting up the service +Booting up the service ```jsonc {"level":"info","ts":1669220526.929678,"logger":"authorino","msg":"setting instance base logger","min level":"debug","mode":"production"} @@ -1265,7 +1265,7 @@ The examples below are all with `--log-level=debug` and `--log-mode=production`.
- Reconciling an AuthConfig and 2 related API key secrets +Reconciling an AuthConfig and 2 related API key secrets ```jsonc {"level":"debug","ts":1669221208.7473805,"logger":"authorino.controller-runtime.manager.controller.authconfig.statusupdater","msg":"resource status changed","authconfig":"default/talker-api-protection","authconfig/status":{"conditions":[{"type":"Available","status":"False","lastTransitionTime":"2022-11-23T16:33:28Z","reason":"HostsNotLinked","message":"No hosts linked to the resource"},{"type":"Ready","status":"False","lastTransitionTime":"2022-11-23T16:33:28Z","reason":"Unknown"}],"summary":{"ready":false,"hostsReady":[],"numHostsReady":"0/1","numIdentitySources":1,"numMetadataSources":0,"numAuthorizationPolicies":0,"numResponseItems":0,"festivalWristbandEnabled":false}}} @@ -1287,9 +1287,8 @@ The examples below are all with `--log-level=debug` and `--log-mode=production`.
- Enforcing an AuthConfig with authentication based on Kubernetes tokens: - -
+Enforcing an AuthConfig with authentication based on Kubernetes tokens: +
- identity: k8s-auth, oidc, oauth2, apikey - metadata: http, oidc userinfo diff --git a/docs/user-guides/oidc-jwt-authentication.md b/docs/user-guides/oidc-jwt-authentication.md index 62bd3255..11634071 100644 --- a/docs/user-guides/oidc-jwt-authentication.md +++ b/docs/user-guides/oidc-jwt-authentication.md @@ -3,12 +3,9 @@ Validate JSON Web Tokens (JWT) issued and signed by an OpenID Connect server; leverage OpenID Connect Discovery to automatically fetch JSON Web Key Sets (JWKS).
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) + Authorino validates JSON Web Tokens (JWT) issued by an OpenID Connect server that implements OpenID Connect Discovery. Authorino fetches the OpenID Connect configuration and JSON Web Key Set (JWKS) from the issuer endpoint, and verifies the JSON Web Signature (JWS) and time validity of the token. diff --git a/docs/user-guides/oidc-rbac.md b/docs/user-guides/oidc-rbac.md index 29a54357..3a1b0faa 100644 --- a/docs/user-guides/oidc-rbac.md +++ b/docs/user-guides/oidc-rbac.md @@ -5,13 +5,10 @@ Combine OpenID Connect (OIDC) authentication and Role-Based Access Control (RBAC In this user guide, you will learn via example how to implement a simple Role-Based Access Control (RBAC) system to protect endpoints of an API, with roles assigned to users of an Identity Provider (Keycloak) and carried within the access tokens as JSON Web Token (JWT) claims. Users authenticate with the IdP via OAuth2/OIDC flow and get their access tokens verified and validated by Authorino on every request. Moreover, Authorino reads the role bindings of the user and enforces the proper RBAC rules based upon the context.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) +- Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + Check out as well the user guides about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Simple pattern-matching authorization policies](json-pattern-matching-authorization.md). diff --git a/docs/user-guides/oidc-user-info.md b/docs/user-guides/oidc-user-info.md index 1e1bcd8b..43aa21de 100644 --- a/docs/user-guides/oidc-user-info.md +++ b/docs/user-guides/oidc-user-info.md @@ -3,14 +3,11 @@ Fetch user info for OpenID Connect ID tokens in request-time for extra metadata for your policies and online verification of token validity.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- External auth metadata →[OIDC UserInfo](../features.md#oidc-userinfo-metadatauserinfo) +- Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) +- Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + Apart from possibly complementing information of the JWT, fetching OpenID Connect UserInfo in request-time can be particularly useful for remote checking the state of the session, as opposed to only verifying the JWT/JWS offline. Implementation requires an OpenID Connect issuer ([`spec.identity.oidc`](#openid-connect-oidc-jwtjose-verification-and-validation-identityoidc)) configured in the same `AuthConfig`. diff --git a/docs/user-guides/opa-authorization.md b/docs/user-guides/opa-authorization.md index 83d66f56..2f92e15f 100644 --- a/docs/user-guides/opa-authorization.md +++ b/docs/user-guides/opa-authorization.md @@ -3,13 +3,10 @@ Leverage the power of Open Policy Agent (OPA) policies, evaluated against Authorino's Authorization JSON in a built-in runtime compiled together with Authorino; pre-cache policies defined in Rego language inline or fetched from an external policy registry.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Authorization →[Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) +- Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) + Authorino supports [Open Policy Agent](https://www.openpolicyagent.org) policies, either inline defined in [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language) as part of the `AuthConfig` or fetched from an external endpoint, such as an OPA Policy Registry. diff --git a/docs/user-guides/passing-credentials.md b/docs/user-guides/passing-credentials.md index 6d9afbbf..8dbe1e79 100644 --- a/docs/user-guides/passing-credentials.md +++ b/docs/user-guides/passing-credentials.md @@ -3,13 +3,10 @@ Customize where credentials are supplied in the request by each trusted source of identity.
- - Authorino capabilities featured in this guide: -
    -
  • Identity verification & authentication → Auth credentials
    • -
  • Identity verification & authentication → API key
    • -
- +Authorino capabilities featured in this guide +- Identity verification & authentication →[Auth credentials](../features.md#extra-auth-credentials-authenticationcredentials) +- Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) + Authentication tokens can be supplied in the `Authorization` header, in a custom header, cookie or query string parameter. diff --git a/docs/user-guides/resource-level-authorization-uma.md b/docs/user-guides/resource-level-authorization-uma.md index f66f178f..b6b66917 100644 --- a/docs/user-guides/resource-level-authorization-uma.md +++ b/docs/user-guides/resource-level-authorization-uma.md @@ -3,14 +3,11 @@ Fetch resource metadata relevant for your authorization policies from Keycloak authorization clients, using User-Managed Access (UMA) protocol.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- External auth metadata →[User-Managed Access (UMA) resource registry](../features.md#user-managed-access-uma-resource-registry-metadatauma) +- Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) +- Authorization →[Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) + Check out as well the user guides about [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Open Policy Agent (OPA) Rego policies](opa-authorization.md). diff --git a/docs/user-guides/sharding.md b/docs/user-guides/sharding.md index f42b9b0d..84eb193e 100644 --- a/docs/user-guides/sharding.md +++ b/docs/user-guides/sharding.md @@ -19,13 +19,10 @@ By default, Authorino will watch events related to all `AuthConfig` custom resou
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- [Sharding](https://docs.kuadrant.io/authorino/docs/architecture#sharding) +- Identity verification & authentication →[API key](https://docs.kuadrant.io/authorino/docs/features#api-key-authenticationapikey) + Check out as well the user guide about [Authentication with API keys](api-key-authentication.md). For further details about Authorino features in general, check the [docs](../features.md). diff --git a/docs/user-guides/token-normalization.md b/docs/user-guides/token-normalization.md index 472da5fd..4f5d9181 100644 --- a/docs/user-guides/token-normalization.md +++ b/docs/user-guides/token-normalization.md @@ -9,15 +9,12 @@ This user guide focuses on the aspect of mutation of the identity claims resolve For not only normalizing the identity claims for purpose of writing simpler authorization checks and policies, but also getting Authorino to issue a new token in a normalized format, check the [Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) feature.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[Identity extension](../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides) +- Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) +- Identity verification & authentication →[JWT verification](../features.md#jwt-verification-authenticationjwt) +- Authorization →[Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching) + Check out as well the user guides about [Authentication with API keys](api-key-authentication.md), [OpenID Connect Discovery and authentication with JWTs](oidc-jwt-authentication.md) and [Simple pattern-matching authorization policies](json-pattern-matching-authorization.md). diff --git a/docs/user-guides/validating-webhook.md b/docs/user-guides/validating-webhook.md index 90e2e428..f19d6e16 100644 --- a/docs/user-guides/validating-webhook.md +++ b/docs/user-guides/validating-webhook.md @@ -7,20 +7,17 @@ The rules to validate a request to the Kubernetes API – typically a `POST`, `P This user guide provides an example of using Authorino as a Kubernetes ValidatingWebhook service that validates requests to `CREATE` and `UPDATE` Authorino `AuthConfig` resources. In other words, we will use Authorino as a validator inside the cluster that decides what is a valid AuthConfig for any application which wants to rely on Authorino to protect itself.
- - Authorino capabilities featured in this guide: - - +Authorino capabilities featured in this guide +- Identity verification & authentication →[Plain](../features.md#plain-authenticationplain) +- Identity verification & authentication →[Kubernetes TokenReview](../features.md#kubernetes-tokenreview-authenticationkubernetestokenreview) +- Identity verification & authentication →[API key](../features.md#api-key-authenticationapikey) +- External auth metadata →[HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp) +- Authorization →[Kubernetes SubjectAccessReview](../features.md#kubernetes-subjectaccessreview-authorizationkubernetessubjectaccessreview) +- Authorization →[Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) +- Dynamic response →[Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband) +- Common feature →[Conditions](../features.md#common-feature-conditions-when) +- Common feature →[Priorities](../features.md#common-feature-priorities) + For further details about Authorino features in general, check the [docs](../features.md).