Enhancement Proposal: Authentication Filter

[shaun-nx]

Proposed changes

Status set to Implementable after merging #4136

This document proposes a solution for enabling Authentication use cases through NGINX Gateway Fabric.

Closes #4052

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.11%. Comparing base (96032ac) to head (dd5aaa8).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4235      +/-   ##
==========================================
+ Coverage   86.09%   86.11%   +0.02%     
==========================================
  Files         131      131              
  Lines       14171    14171              
  Branches       35       35              
==========================================
+ Hits        12200    12203       +3     
+ Misses       1767     1765       -2     
+ Partials      204      203       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[salonichf5]

Suggested change

	This document focus expliclty on Authentiaction (AuthN) and not Authorization (AuthZ). Authentiaction (AuthN) defines the verification of identiy. It asks the question, "Who are you?". This is different from Authorization (AuthZ), which preceeds Authentication. It asks the question, "What are you allowed to do".
	This document focuses expliclty on Authentication (AuthN) and not Authorization (AuthZ). Authentication (AuthN) defines the verification of identiy. It asks the question, "Who are you?". This is different from Authorization (AuthZ), which preceeds Authentication. It asks the question, "What are you allowed to do".

[salonichf5]

we should specify the nginx modules these constants associate with

[shaun-nx]

Do you mean we should add a comment or rename the constants to reflect the module?

[salonichf5]

No the nginx module should be added as reference in the comment

// NGINX module: https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

[salonichf5]

why does it have to be in the same namespace? we can always resolve the secret in different namespace, unless there is another limitation assumed?

[sjberman]

Can we follow the ReferenceGrant pattern for accessing Secrets in another namespace?

[shaun-nx]

This comment was mostly to reflect security constraints. I noticed I didn't make note of it elsewhere in the proposal though. Mainly, we want to make sure that the AuthenticaitonFilter can only reference secrets in the same namespace by default, and like @sjberman said we can support integration with ReferenceGrant to support cross-namespace where needed.

I'll add a section to the proposal to cover that.

[shaun-nx]

@sjberman @salonichf5 The Security Considerations section should be updated now to talk about namespace isolation as well as cross-namespace support with ReferenceGrant

[ciarams87]

Can we remove or amend this comment to reflect this?

[sjberman]

The spec should use the Gateway API's ObjectReference type instead of two separate Secret and SecretRef fields.

[shaun-nx]

@ciarams87 I'll amend the comment around this.

[shaun-nx]

@sjberman good catch. The BasicAuth spec should just have a secretRef field so that it can work with reference grants.

[salonichf5]

I think he meant using the secretRef type as SecretObjectReference

[salonichf5]

nginx directives should be specified for the cases that apply.

[shaun-nx]

Good idea. I'll make that change.

[salonichf5]

same comment as below for specifying defaults and enum

[shaun-nx]

As I think about it, it might not make sense for something like this to have a default. Users should probably be very explicit about which mode they want to set. What do you think?

[salonichf5]

like 1: is for most frequently used?

[shaun-nx]

This specifies the directory depth of the cache file. In the case where you have a proxy_cache_path configuration like this:

proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=one:10m;

The file names in a cache will look like this: /data/nginx/cache/c/29/b7f54b2df7773722d382f4809d65029c

From the docs:

The levels parameter defines hierarchy levels of a cache: from 1 to 3, each level accepts values 1 or 2. 

[salonichf5]

set defaults using kubebuilder: default

[salonichf5]

did not see this as a rule at API level, we will allow this at API spec level?

[shaun-nx]

We could likely add it at a CEL validation level. What are your thoughts? I've typically seen these kind of things handled by controller level validation, but it feels like CEL validation would be better if we want to reject the resource.

[salonichf5]

yeah I think we can have CEL validation to allow 401 and 403 to simplify things in the later step

[ciarams87]

These are mostly focussed on typos I spotted while doing a first pass, I haven't fully absorbed the content yet

[ciarams87]

Suggested change

	This document focuses expliclty on Authentication (AuthN) and not Authorization (AuthZ). Authentication (AuthN) defines the verification of identiy. It asks the question, "Who are you?". This is different from Authorization (AuthZ), which preceeds Authentication. It asks the question, "What are you allowed to do".
	This document focuses explicitly on Authentication (AuthN) and not Authorization (AuthZ). Authentication (AuthN) defines the verification of identity. It asks the question, "Who are you?". This is different from Authorization (AuthZ), which preceeds Authentication. It asks the question, "What are you allowed to do".

[ciarams87]

Suggested change

	- As an Application Developer, I want to enforce authenticaiton on specific routes and matches.
	- As an Application Developer, I want to enforce authentication on specific routes and matches.

[ciarams87]

Suggested change

	This portioan also contains:
	This portion also contains:

[ciarams87]

Suggested change

	- Example HTTPRoutes and NINGX configuration
	- Example HTTPRoutes and NGINX configuration

[ciarams87]

Suggested change

	- Example NINGX configuration for both Local & Remote JWKS
	- Example NGINX configuration for both Local & Remote JWKS

[ciarams87]

Suggested change

	Users sholud be advised to regularly rotate their JWKS keys in cases where they chose to reference a local JWKS via a `secrefRef` or `configMapRef`
	Users should be advised to regularly rotate their JWKS keys in cases where they chose to reference a local JWKS via a `secrefRef` or `configMapRef`

[ciarams87]

Suggested change

	We may choose to include these headers by default for improved robustness in auth falure responses.
	We may choose to include these headers by default for improved robustness in auth failure responses.

[ciarams87]

I had to look this up, I had never seen it before. It's been superseded by Cache-Control, I don't think we would need it, it's legacy from HTTP/1.0

[ciarams87]

Suggested change

	Our decision to go forward with our own `AuthenticationFilter` was to ensure we could quckly provide authenticaiton to our users while allowing us to closley monitor progress of the ExternalAuthFilter.
	Our decision to go forward with our own `AuthenticationFilter` was to ensure we could quickly provide authentication to our users while allowing us to closely monitor progress of the ExternalAuthFilter.

[sjberman]

To be clear, this proposed AuthenticationFilter is to supply different auth methods than provided in the ExternalAuth filter, and is technically unrelated.

[shaun-nx]

@sjberman that's not entirely true. If we went forward with ExternalAuth filter, we could build out an external auth service that uses NGINX. It wouldn't prevent us from supplying those auth methods.

[sjberman]

But that is unrelated to this AuthenticationFilter. This filter is to configure our NGINX data plane to perform native auth, without the need for an external entity. The ExternalAuthFilter is for just using an external entity for auth, whatever that entity may be (it wouldn't be our direct NGINX data plane, but it could be an external NGINX instance).

These are two different solutions for implementing auth for the user, and are not technically related to each other. I only mention this because this sentence in the doc implies that this Filter is being implemented as a workaround to the ExternalAuth filter, but it's really not, it's a different auth solution. Just being pedantic.

[ciarams87]

Suggested change

	In regards to documentation of filter behavour with the `AuthenticationFilter`, the Gateway API documentation on filters states the following:
	In regards to documentation of filter behaviour with the `AuthenticationFilter`, the Gateway API documentation on filters states the following:

[sjberman]

I'll do a more thorough review once I'm back online full time.

[sjberman]

The spec should use the Gateway API's ObjectReference type instead of two separate Secret and SecretRef fields.

[sjberman]

Can you use an Enum on an integer instead of CEL? I haven't tried this, maybe it only works for strings.

[shaun-nx]

Not sure. I'll see if it's possible though.

[salonichf5]

i think you should be able to since they resolve as strings?

[sjberman]

This can use the Duration type that we have defined.

[shaun-nx]

Sounds good. Out of curiosity, why do we have our own Duration type?

[sjberman]

It allows us to perform validation on the format of it.

[sjberman]

This can use the Duration type that we have defined.

[sjberman]

Suggested change

	Filters must be attached to a HTTPRoute at the `rules.matces` level.
	Filters must be attached to a HTTPRoute at the `rules.matches` level.

[sjberman]

Suggested change

	- This header explicitly set the body as plan text. This prevents browsers from treating the response as HTML or JavaScript, and is effective at mitigating Cross-side scrpting (XSS) through error pages
	- This header explicitly set the body as plain text. This prevents browsers from treating the response as HTML or JavaScript, and is effective at mitigating Cross-side scrpting (XSS) through error pages

[sjberman]

Suggested change

	When referencing an `AuthenticationFilter` in either a HTTPRoute or GRPCRoute, it is important that we ensure all configurable fields are validated, and that the resulting NGINX configuration is correct and secure
	When referencing an `AuthenticationFilter` in either a HTTPRoute or GRPCRoute, it is important that we ensure all configurable fields are validated, and that the resulting NGINX configuration is correct and secure.

[sjberman]

Suggested change

	an `AuthenticationFilter` that sets a `onFailure.statusCode` to anything other than `401` or `403` should be rejected. This relates to the "Auth failure behaviour" section in the Security Condierations section.
	An `AuthenticationFilter` that sets a `onFailure.statusCode` to anything other than `401` or `403` should be rejected. This relates to the "Auth failure behaviour" section in the Security Considerations section.

[sjberman]

To be clear, this proposed AuthenticationFilter is to supply different auth methods than provided in the ExternalAuth filter, and is technically unrelated.