user-guides.md

User guides

• Hello World
  The basics of protecting an API with Authorino.

• Authentication with Kubernetes tokens (TokenReview API)
  Validate Kubernetes Service Account tokens to authenticate requests to your protected hosts.

• Authentication with API keys
  Issue API keys stored in Kubernetes Secrets for clients to authenticate with your protected hosts.

• Authentication with X.509 certificates and mTLS
  Verify client X.509 certificates against trusted root CAs.

• OpenID Connect Discovery and authentication with JWTs
  Validate JSON Web Tokens (JWT) issued and signed by an OpenID Connect server; leverage OpenID Connect Discovery to automatically fetch JSON Web Key Sets (JWKS).

• OAuth 2.0 token introspection (RFC 7662)
  Introspect OAuth 2.0 access tokens (e.g. opaque tokens) for online user data and token validation in request-time.

• Passing credentials (Authorization header, cookie headers and others)
  Customize where credentials are supplied in the request by each trusted source of identity.

• HTTP "Basic" Authentication (RFC 7235)
  Turn Authorino API key Secrets settings into HTTP basic auth.

• Anonymous access
  Bypass identity verification or fall back to anonymous access when credentials fail to validate

• Token normalization
  Normalize identity claims from trusted sources and reduce complexity in your policies.

• Edge Authentication Architecture (EAA)
  Exchange satellite (outer-layer) authentication tokens for "Festival Wristbands" accepted ubiquitously at the inside of your network. Normalize from multiple and varied sources of identity and authentication methods in the edge of your architecture; filter privacy data, limit the scope of permissions, and simplify authorization rules to your internal microservices.

• Fetching auth metadata from external sources
  Get online data from remote HTTP services to enhance authorization rules.

• OpenID Connect UserInfo
  Fetch user info for OpenID Connect ID tokens in request-time for extra metadata for your policies and online verification of token validity.

• Resource-level authorization with User-Managed Access (UMA) resource registry
  Fetch resource attributes relevant for authorization from a User-Managed Access (UMA) resource registry such as Keycloak resource server clients.

• Simple pattern-matching authorization policies
  Write simple authorization rules based on JSON patterns matched against Authorino's Authorization JSON; check contextual information of the request, validate JWT claims, cross metadata fetched from external sources, etc.

• OpenID Connect (OIDC) and Role-Based Access Control (RBAC) with Authorino and Keycloak
  Combine OpenID Connect (OIDC) authentication and Role-Based Access Control (RBAC) authorization rules leveraging Keycloak and Authorino working together.

• Open Policy Agent (OPA) Rego policies
  Leverage the power of Open Policy Agent (OPA) policies, evaluated against Authorino's Authorization JSON in a built-in runtime compiled together with Authorino; pre-cache policies defined in Rego language inline or fetched from an external policy registry.

• Kubernetes RBAC for service authorization (SubjectAccessReview API)
  Manage permissions in the Kubernetes RBAC and let Authorino to check them in request-time with the authorization system of the cluster.

• Authorization with Keycloak Authorization Services
  Use Authorino as an adapter for Keycloak Authorization Services without importing any library or rebuilding your application code.

• Integration with Authzed/SpiceDB
  Permission requests sent to a Google Zanzibar-based Authzed/SpiceDB instance, via gRPC.

• Injecting data in the request
  Inject HTTP headers with serialized JSON content.

• Authenticated rate limiting (with Envoy Dynamic Metadata)
  Provide Envoy with dynamic metadata from the external authorization process to be injected and used by consecutive filters, such as by a rate limiting service.

• Redirecting to a login page
  Customize response status code and headers on failed requests. E.g. redirect users of a web application protected with Authorino to a login page instead of a 401 Unauthorized; mask resources on access denied behind a 404 Not Found response instead of 403 Forbidden.

• Mixing Envoy built-in filter for auth and Authorino
  Have JWT validation handled by Envoy beforehand and the JWT payload injected into the request to Authorino, to be used in custom authorization policies defined in a AuthConfig.

• Host override via context extension
  Induce the lookup of an AuthConfig by supplying extended host context, for use cases such as of path prefix-based lookup and wildcard subdomains lookup.

• Using Authorino as ValidatingWebhook service
  Use Authorino as a generic Kubernetes ValidatingWebhook service where the rules to validate a request to the Kubernetes API are written in an AuthConfig.

• Reducing the operational space: sharding, noise and multi-tenancy
  Have multiple instances of Authorino running in the same space (Kubernetes namespace or cluster-scoped), yet watching particular sets of resources.

• Caching
  Cache auth objects resolved at runtime for any configuration bit of an AuthConfig, for easy access in subsequent requests whenever an arbitrary cache key repeats, until the cache entry expires.

• Observability
  Prometheus metrics exported by Authorino, readiness probe, logging, tracing, etc.