The basics of protecting an API with Authorino.
Authentication with Kubernetes tokens (TokenReview API)
Validate Kubernetes Service Account tokens to authenticate requests to your protected hosts.
Authentication with API keys
Issue API keys stored in Kubernetes
Secrets for clients to authenticate with your protected hosts.
Authentication with X.509 certificates and mTLS
Verify client X.509 certificates against trusted root CAs.
OpenID Connect Discovery and authentication with JWTs
Validate JSON Web Tokens (JWT) issued and signed by an OpenID Connect server; leverage OpenID Connect Discovery to automatically fetch JSON Web Key Sets (JWKS).
OAuth 2.0 token introspection (RFC 7662)
Introspect OAuth 2.0 access tokens (e.g. opaque tokens) for online user data and token validation in request-time.
Passing credentials (
Authorizationheader, cookie headers and others)
Customize where credentials are supplied in the request by each trusted source of identity.
HTTP “Basic” Authentication (RFC 7235)
Turn Authorino API key
Secrets settings into HTTP basic auth.
Bypass identity verification or fall back to anonymous access when credentials fail to validate
Normalize identity claims from trusted sources and reduce complexity in your policies.
Edge Authentication Architecture (EAA)
Exchange satellite (outer-layer) authentication tokens for “Festival Wristbands” accepted ubiquitously at the inside of your network. Normalize from multiple and varied sources of identity and authentication methods in the edge of your architecture; filter privacy data, limit the scope of permissions, and simplify authorization rules to your internal micro-services.
Fetching auth metadata from external sources
Get online data from remote HTTP services to enhance authorization rules.
OpenID Connect UserInfo
Fetch user info for OpenID Connect ID tokens in request-time for extra metadata for your policies and online verification of token validity.
Resource-level authorization with User-Managed Access (UMA) resource registry
Fetch resource attributes relevant for authorization from a User-Managed Access (UMA) resource registry such as Keycloak resource server clients.
Simple pattern-matching authorization policies
Write simple authorization rules based on JSON patterns matched against Authorino’s Authorization JSON; check contextual information of the request, validate JWT claims, cross metadata fetched from external sources, etc.
OpenID Connect (OIDC) and Role-Based Access Control (RBAC) with Authorino and Keycloak
Combine OpenID Connect (OIDC) authentication and Role-Based Access Control (RBAC) authorization rules leveraging Keycloak and Authorino working together.
Open Policy Agent (OPA) Rego policies
Leverage the power of Open Policy Agent (OPA) policies, evaluated against Authorino’s Authorization JSON in a built-in runtime compiled together with Authorino; pre-cache policies defined in Rego language inline or fetched from an external policy registry.
Kubernetes RBAC for service authorization (SubjectAccessReview API)
Manage permissions in the Kubernetes RBAC and let Authorino to check them in request-time with the authorization system of the cluster.
Authorization with Keycloak Authorization Services
Use Authorino as an adapter for Keycloak Authorization Services without importing any library or rebuilding your application code.
Injecting data in the request
Inject HTTP headers with serialized JSON content.
Authenticated rate limiting (with Envoy Dynamic Metadata)
Provide Envoy with dynamic metadata from the external authorization process to be injected and used by consecutive filters, such as by a rate limiting service.
Redirecting to a login page
Customize response status code and headers on failed requests. E.g. redirect users of a web application protected with Authorino to a login page instead of a
401 Unauthorized; mask resources on access denied behind a
404 Not Foundresponse instead of
Mixing Envoy built-in filter for auth and Authorino
Have JWT validation handled by Envoy beforehand and the JWT payload injected into the request to Authorino, to be used in custom authorization policies defined in a AuthConfig.
Host override via context extension
Induce the lookup of an AuthConfig by supplying extended host context, for use cases such as of path prefix-based lookup and wildcard subdomains lookup.
Using Authorino as ValidatingWebhook service
Use Authorino as a generic Kubernetes ValidatingWebhook service where the rules to validate a request to the Kubernetes API are written in an AuthConfig.
Reducing the operational space: sharding, noise and multi-tenancy
Have multiple instances of Authorino running in the same space (Kubernetes namespace or cluster-scoped), yet watching particular sets of resources.
Cache auth objects resolved at runtime for any configuration bit of an AuthConfig, for easy access in subsequent requests whenever an arbitrary cache key repeats, until the cache entry expires.
Prometheus metrics exported by Authorino, readiness probe, logging, tracing, etc.