Skip to content

Commit

Permalink
markdown links
Browse files Browse the repository at this point in the history
  • Loading branch information
jasonmadigan committed Jul 9, 2024
1 parent 1ac43d6 commit 9d414c8
Show file tree
Hide file tree
Showing 26 changed files with 128 additions and 252 deletions.
15 changes: 5 additions & 10 deletions docs/user-guides/anonymous-access.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,12 @@
Bypass identity verification or fall back to anonymous access when credentials fail to validate

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Identity verification & authentication → <a href="./../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
</ul>
</summary>

For further details about Authorino features in general, check the [docs](./../features.md).
</details>
<summary>Authorino capabilities featured in this guide:</summary>

<br/>
- Identity verification & authentication → [Anonymous access](./../features.md#anonymous-access-authenticationanonymous)

For further details about Authorino features in general, check the [docs](./../features.md).
</details>

## Requirements

Expand Down
11 changes: 3 additions & 8 deletions docs/user-guides/api-key-authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,9 @@
Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with your protected hosts.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide:</summary>

- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)

In Authorino, API keys are stored as Kubernetes `Secret`s. Each resource must contain an `api_key` entry with the value of the API key, and labeled to match the selectors specified in `spec.identity.apiKey.selector` of the `AuthConfig`.

Expand All @@ -17,8 +14,6 @@ Issue API keys stored in Kubernetes `Secret`s for clients to authenticate with y
For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,12 @@
Provide Envoy with dynamic metadata about the external authorization process to be injected into the rate limiting filter.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Dynamic response → Response wrappers → <a href="../features.md#envoy-dynamic-metadata">Envoy Dynamic Metadata</a></li>
<li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Dynamic response → Response wrappers → [Envoy Dynamic Metadata](../features.md#envoy-dynamic-metadata)
- Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson)
- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)


Dynamic JSON objects built out of static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json) can be wrapped to be returned to the reverse-proxy as Envoy Well Known Dynamic Metadata content. Envoy can use those to inject data returned by the external authorization service into the other filters, such as the rate limiting filter.

Expand Down
13 changes: 4 additions & 9 deletions docs/user-guides/authzed.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,11 @@
Permission requests sent to a Google Zanzibar-based [Authzed/SpiceDB](https://authzed.com) instance, via gRPC.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Authorization → <a href="../features.md#spicedb-authorizationspicedb">SpiceDB</a></li>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
</ul>
</summary>
</details>
<summary>Authorino capabilities featured in this guide</summary>

<br/>
- Authorization → [SpiceDB](../features.md#spicedb-authorizationspicedb)
- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
</details>

## Requirements

Expand Down
19 changes: 7 additions & 12 deletions docs/user-guides/caching.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,22 +17,17 @@ Cases where one will **NOT** want to enable caching, due to relatively cheap com
- Anonymous access

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Common feature → <a href="../features.md#common-feature-caching-cache">Caching</a></li>
<li>Identity verification & authentication → <a href="../features.md#anonymous-access-authenticationanonymous">Anonymous access</a></li>
<li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
<li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
<li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Common feature → [Caching](../features.md#common-feature-caching-cache)
- Identity verification & authentication → [Anonymous access](../features.md#anonymous-access-authenticationanonymous)
- External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp)
- Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa)
- Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson)

For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
15 changes: 5 additions & 10 deletions docs/user-guides/deny-with-redirect-to-login.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,11 @@
Customize response status code and headers on failed requests to redirect users of a web application protected with Authorino to a login page instead of a `401 Unauthorized`.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
<li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Dynamic response → [Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized)
- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
- Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)

Authorino's default response status codes, messages and headers for unauthenticated (`401`) and unauthorized (`403`) requests can be customized with static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json).

Expand All @@ -19,8 +16,6 @@ Customize response status code and headers on failed requests to redirect users
For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,12 @@ The very definition of "edge" is subject to discussion, but the underlying idea
As a minimum, EAA allows to simplify authentication between applications and microservices inside the network, as well as to reduce authorization to domain-specific rules and policies, rather than having to deal all the complexity to support all types of clients in every node.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Dynamic response → <a href="../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband">Festival Wristband tokens</a></li>
<li>Identity verification & authentication → <a href="../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides">Identity extension</a></li>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
<li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Dynamic response → [Festival Wristband tokens](../features.md#festival-wristband-tokens-responsesuccessheadersdynamicmetadatawristband)
- Identity verification & authentication → [Identity extension](../features.md#extra-identity-extension-authenticationdefaults-and-authenticationoverrides)
- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
- Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)

Festival Wristbands are OpenID Connect ID tokens (signed JWTs) issued by Authorino by the end of the Auth Pipeline, for authorized requests. It can be configured to include claims based on static values and values fetched from the [Authorization JSON](../architecture.md#the-authorization-json).

Expand All @@ -28,8 +25,6 @@ As a minimum, EAA allows to simplify authentication between applications and mic
For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
17 changes: 6 additions & 11 deletions docs/user-guides/envoy-jwt-authn-and-authorino.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,21 +9,16 @@ The policy defines a geo-fence by which only requests originated in Great Britai
All requests to the Talker API will be authenticated in Envoy. However, requests to `/global` will **not** trigger the external authorization.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Identity verification & authentication → <a href="../features.md#plain-authenticationplain">Plain</a></li>
<li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
<li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
<li>Dynamic response → <a href="../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized">Custom denial status</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Identity verification & authentication → [Plain](../features.md#plain-authenticationplain)
- External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp)
- Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching)
- Dynamic response → [Custom denial status](../features.md#custom-denial-status-responseunauthenticated-and-responseunauthorized)

For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
15 changes: 5 additions & 10 deletions docs/user-guides/external-metadata.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,11 @@
Get online data from remote HTTP services to enhance authorization rules.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>External auth metadata → <a href="../features.md#http-getget-by-post-metadatahttp">HTTP GET/GET-by-POST</a></li>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
<li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- External auth metadata → [HTTP GET/GET-by-POST](../features.md#http-getget-by-post-metadatahttp)
- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
- Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa)

You can configure Authorino to fetch additional metadata from external sources in request-time, by sending either GET or POST request to an HTTP service. The service is expected to return a JSON content which is appended to the [Authorization JSON](../architecture.md#the-authorization-json), thus becoming available for usage in other configs of the Auth Pipeline, such as in authorization policies or custom responses.

Expand All @@ -21,8 +18,6 @@ Get online data from remote HTTP services to enhance authorization rules.
For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
13 changes: 4 additions & 9 deletions docs/user-guides/http-basic-authentication.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,10 @@
Turn Authorino API key `Secret`s settings into HTTP basic auth.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
<li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)
- Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching)

HTTP "Basic" Authentication ([RFC 7235](https://datatracker.ietf.org/doc/html/rfc7235)) is not recommended if you can afford other more secure methods such as OpenID Connect. To support legacy nonetheless it is sometimes necessary to implement it.

Expand All @@ -20,8 +17,6 @@ Turn Authorino API key `Secret`s settings into HTTP basic auth.
For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
13 changes: 4 additions & 9 deletions docs/user-guides/injecting-data.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,10 @@
Inject HTTP headers with serialized JSON content.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Dynamic response → <a href="../features.md#json-injection-responsesuccessheadersdynamicmetadatajson">JSON injection</a></li>
<li>Identity verification & authentication → <a href="../features.md#api-key-authenticationapikey">API key</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Dynamic response → [JSON injection](../features.md#json-injection-responsesuccessheadersdynamicmetadatajson)
- Identity verification & authentication → [API key](../features.md#api-key-authenticationapikey)

Inject serialized custom JSON objects as HTTP request headers. Values can be static or fetched from the [Authorization JSON](../architecture.md#the-authorization-json).

Expand All @@ -18,8 +15,6 @@ Inject HTTP headers with serialized JSON content.
For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
13 changes: 4 additions & 9 deletions docs/user-guides/json-pattern-matching-authorization.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,13 +3,10 @@
Write simple authorization rules based on JSON patterns matched against Authorino's Authorization JSON; check contextual information of the request, validate JWT claims, cross metadata fetched from external sources, etc.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Authorization → <a href="../features.md#pattern-matching-authorization-authorizationpatternmatching">Pattern-matching authorization</a></li>
<li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Authorization → [Pattern-matching authorization](../features.md#pattern-matching-authorization-authorizationpatternmatching)
- Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)

Authorino provides a built-in authorization module to check simple pattern-matching rules against the [Authorization JSON](../architecture.md#the-authorization-json). This is an alternative to [OPA](../features.md#open-policy-agent-opa-rego-policies-authorizationopa) when all you want is to check for some simple rules, without complex logics, such as match the value of a JWT claim.

Expand All @@ -18,8 +15,6 @@ Write simple authorization rules based on JSON patterns matched against Authorin
For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
14 changes: 5 additions & 9 deletions docs/user-guides/keycloak-authorization-services.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,19 +5,15 @@ Keycloak provides a powerful set of tools (REST endpoints and administrative UIs
This user guide is an example of how to use Authorino as an adapter to Keycloak Authorization Services while still relying on the reverse-proxy integration pattern, thus not involving importing an authorization library nor rebuilding the application's code.

<details markdown="1">
<summary>
<strong>Authorino capabilities featured in this guide:</strong>
<ul>
<li>Identity verification & authentication → <a href="../features.md#jwt-verification-authenticationjwt">JWT verification</a></li>
<li>Authorization → <a href="../features.md#open-policy-agent-opa-rego-policies-authorizationopa">Open Policy Agent (OPA) Rego policies</a></li>
</ul>
</summary>
<summary>Authorino capabilities featured in this guide</summary>

- Identity verification & authentication → [JWT verification](../features.md#jwt-verification-authenticationjwt)
- Authorization → [Open Policy Agent (OPA) Rego policies](../features.md#open-policy-agent-opa-rego-policies-authorizationopa)


For further details about Authorino features in general, check the [docs](../features.md).
</details>

<br/>

## Requirements

- Kubernetes server with permissions to install cluster-scoped resources (operator, CRDs and RBAC)
Expand Down
Loading

0 comments on commit 9d414c8

Please sign in to comment.