This demo contains the following components:
- A resource server running on port 80
- A sidecar proxy running on port 8000, in the same pod as the resource-server
The sidecar proxy intercepts all calls to the resource server and runs authN/authZ checks against them. If incoming calls pass these checks, they are forwarded to the resource-server. Otherwise, a 403 Forbidden reply is sent back.
- Switch to the Kubernetes namespace where the demo application should be deployed.
- Navigate to the /deploy-config directory.
- Run the deploy-minikube.sh script to deploy the demo.
- Run
minikube service listto get the external base url of the deployed service. - Try the API methods described below, with authorized and unauthorized users.
The resource server allows reads and writes using the /data API. The URLs are:
curl -X GET "${BASE_URL}/data?key=${KEY}" -H "Authorization: ${USERNAME}"Response:
{
"<KEY>": "<VALUE>"
}curl -X POST "${BASE_URL}/data?key=${KEY}&value=${VALUE}" -H "Authorization: ${USERNAME}"Response:
{
"<KEY>": "<VALUE>"
}| Username | Read Data | Write Data |
|---|---|---|
| alice | yes | no |
| bob | yes | yes |
| chuck | no | no |
- Make the AuthN/AuthZ proxy configurable and independent of the resource server
- Use lightweight servers/frameworks for the AuthN/AuthZ proxy for performance
- Add trusted issuer check and external authorization checks
- Other use cases: auditing, tracing