Description
Preflight checklist
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines."
- I have discussed this feature request with the community.
Describe the background of your feature request
Currently, Heimdall only supports end-to-end security through the use of RFC 7519 (JWT) to enable minimal enforcement of authentication and authorization by upstream services. By requiring the presence of a valid JWT issued by Heimdall, upstream services can ensure that requests are trustworthy; if the JWT is missing or its signature cannot be verified, the request is deemed untrustworthy. While JWT is a widely recognized and commonly used format, using it to transfer service-specific values to upstream services may not be ideal, as developers must parse and extract the relevant data themselves.
Describe your idea
Using RFC 9241 (HTTP Message Signatures) would be a much better fit for this purpose. Developers could simply add a corresponding middleware to their upstream service that verifies the HTTP Message Signature created by Heimdall. The signature would cover the specific parts of the request as defined in Heimdall's rules. Relevant information could then be extracted directly from the HTTP headers, making this approach far more convenient and seamless to implement in any of the commonly available web frameworks.
Are there any workarounds or alternatives?
An alternative would be to continue relying solely on JWTs. While this approach works, it lacks the flexibility and convenience offered by HTTP Message Signatures, especially when dealing with service-specific requirements.
Version
0.15.1
Additional Context
No response