Downstream Authentication
API Key in Query Parameter
Authentication using an API key query parameter can be easily configured using the Authentication with Header or Query Parameter or Header configuration.
HURL Examples
POST http://localhost:{{port}}/api/upload/api-key-in-query?api-port={{port}}&envoy-cluster={{envoy-cluster}}
Content-Type: application/yaml
Authorization: Bearer {{admin-access-token}}
file,api-key-in-query.yaml;
HTTP 200
# no api key provided
GET http://localhost:8080/api-key-in-query/test
HTTP 403
[Asserts]
body contains "RBAC: access denied"
GET http://localhost:8080/api-key-in-query/test?my-api-key=supersecret
HTTP 200
GET http://localhost:8080/api-key-in-query/test?my-api-key=wrongsecret
HTTP 403
[Asserts]
body contains "RBAC: access denied"
API Key in Request Header
Authentication using an API key request header can be easily configured using the Authentication with Header or Query Parameter or Header configuration.
HURL Examples
POST http://localhost:{{port}}/api/upload/api-key?api-port={{port}}&envoy-cluster={{envoy-cluster}}
Content-Type: application/yaml
Authorization: Bearer {{admin-access-token}}
file,api-key.yaml;
HTTP 200
# no api key provided
GET http://localhost:8080/api-key/test
HTTP 403
[Asserts]
body contains "RBAC: access denied"
GET http://localhost:8080/api-key/test
my-api-key: supersecret
HTTP 200
GET http://localhost:8080/api-key/test
my-api-key: wrongsecret
HTTP 403
[Asserts]
body contains "RBAC: access denied"
Basic Authentication
Authentication using HTTP Basic Authentication can be easily configured using the Basic Authentication configuration.
HURL Examples
POST http://localhost:{{port}}/api/upload/basic-auth?api-port={{port}}&envoy-cluster={{envoy-cluster}}
Content-Type: application/yaml
Authorization: Bearer {{admin-access-token}}
file,basic-auth.yaml;
HTTP 200
# no basic auth credentials provided
GET http://localhost:8080/basic-auth/test
HTTP 403
[Asserts]
body contains "RBAC: access denied"
GET http://localhost:8080/basic-auth/test
[BasicAuth]
myuser: mysecret
HTTP 200
GET http://localhost:8080/basic-auth/test
[BasicAuth]
myuser: wrongsecret
HTTP 403
[Asserts]
body contains "RBAC: access denied"
GET http://localhost:8080/basic-auth/test
[BasicAuth]
wronguser: mysecret
HTTP 403
[Asserts]
body contains "RBAC: access denied"
Disabled
Opting out of downstream authentication by setting the Disabled Flag.
OpenAPI Specification | |
---|---|
HURL Examples
# see routing-misc.hurl for more examples that use "disabled" auth
POST http://localhost:{{port}}/api/upload/disabled?api-port={{port}}&envoy-cluster={{envoy-cluster}}
Content-Type: application/yaml
Authorization: Bearer {{admin-access-token}}
file,disabled.yaml;
HTTP 200
GET http://localhost:8080/disabled/test
HTTP 200
JSON Web Tokens (JWT)
Authentication using JWT can be easily configured using the Authentication with JWT configuration.
HURL Examples
POST http://localhost:{{port}}/api/upload/jwt?api-port={{port}}&envoy-cluster={{envoy-cluster}}
Content-Type: application/yaml
Authorization: Bearer {{admin-access-token}}
file,jwt.yaml;
HTTP 200
# no JWT is provided
GET http://localhost:8080/jwt/test
HTTP 401
[Asserts]
body contains "Jwt is missing"
# fetch invalid token (missing correct audience claim)
POST http://localhost:{{port}}/api/access-token
[QueryStringParams]
client_id: {{oauth-client-id-other}}
client_secret: {{oauth-client-secret-other}}
grant_type: client_credentials
HTTP 200
[Captures]
invalid_access_token: jsonpath "$['access_token']"
# Invalid JWT is provided
GET http://localhost:8080/jwt/test
Authorization: Bearer {{invalid_access_token}}
HTTP 403
[Asserts]
body contains "Audiences in Jwt are not allowed"
# fetch valid token (including audience specified in downstream auth config)
POST http://localhost:{{port}}/api/access-token
[QueryStringParams]
client_id: {{oauth-client-id}}
client_secret: {{oauth-client-secret}}
grant_type: client_credentials
HTTP 200
[Captures]
valid_access_token: jsonpath "$['access_token']"
# Valid JWT is provided
GET http://localhost:8080/jwt/test
Authorization: Bearer {{valid_access_token}}
HTTP 200
Mutual TLS (mTLS)
Authenticate using TLS client certificates (mTLS).
HURL Examples
POST http://localhost:{{port}}/api/upload/mtls?api-port={{port}}&envoy-cluster={{envoy-cluster}}
Content-Type: application/yaml
Authorization: Bearer {{admin-access-token}}
file,mtls.yaml;
HTTP 200
# HTTP Request with an invalid client certificate
GET https://localhost:44444/mtls/test
[Options]
cert: /tmp/proxyconf/exunit-bad.crt
key: /tmp/proxyconf/exunit-bad.key
HTTP 403
[Asserts]
body contains "RBAC: access denied"
# HTTP Request with a valid client certificate
GET https://localhost:44444/mtls/test
[Options]
cert: /tmp/proxyconf/exunit-good.crt
key: /tmp/proxyconf/exunit-good.key
HTTP 200