I'm working on a server configuration with:
envoy proxy
as a gateway, with a simple python web server behind it to serve web pages and API calls.Auth0
to authenticate my users.OPA
as the Authorization system.I've used a docker-compose.yml
similar to this to create the envoy and OPA setup. I've implemented the Auth0 with OPA installation guide, so I have the Auth0
data in my encrypted session cookie after login (on which the authorization logic will work on). I've also found useful resources like this, that implement almost the exact flow I'm looking for.
All implementations, examples and guides I've found do not use this exact configuration, and have an additional piece of code that decodes the session data from the cookie, and extracts the user info (id_token
) before calling the OPA service. Sometimes as part of the web server code (which defeats the purpose of the envoy gateway in my case).
I feel very close to an elegant design with little or no boiler plate code and with no overlap in responsibility between services. What am I missing? Is there an envoy filter that extracts the encrypted session from the cookie I should use before calling OPA? Perhaps OPA can decrypt the session data from the cookie?
Is there something inherently wrong in my design?
The best solution I came up with (especially in a docker-compose environment) is:
envoyproxy/envoy
)openpolicyagent/opa
)envoy.filters.http.oauth2
). It would have been great if I could find an envoy OIDC implementation, but this ticket (https://github.com/envoyproxy/envoy/issues/21982) suggests there isn't much interest in it. I'm not sure why... For a web based solution, the filter will route the IdToken from the authentication service, to the browser cookie.envoy.filters.http.ext_authz
) configured to point to the OPA service. This filter routes the cookie (with the IdToken) to the OPA service, allowing permissions based on user info from the auth service.envoy.filters.http.jwt_authn
), configured with remote_jwks
to get authentication info directly from Auth0 (in my case)In this solution, there is ZERO boilerplate code. No extra plugins to build into envoy, etc. Every component is separately configured using config files (OPA rego policy file, envoy yaml, and docker-compose to connect everything).
It was slightly difficult to find documentation to configure things correctly. Please comment if you'd like me to share more details.