Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support API Key Auth #2630

Open
arkodg opened this issue Feb 16, 2024 · 15 comments · May be fixed by #4986
Open

Support API Key Auth #2630

arkodg opened this issue Feb 16, 2024 · 15 comments · May be fixed by #4986
Assignees
Labels
area/api API-related issues area/policy
Milestone

Comments

@arkodg
Copy link
Contributor

arkodg commented Feb 16, 2024

          > @zhaohuabing can we reuse the same Envoy Filter for API key auth ? 

The problem is, unlike HTTP Basic Auth, API key auth is much more flexible, the key can be in the header, path, or even body. I think we will need a dedicated envoy filter in Envoy if we want to support API key auth, we can follow the open API specs: https://swagger.io/docs/specification/authentication/api-keys/#:~:text=API%20keys%20are%20supposed%20to,mechanisms%20such%20as%20HTTPS%2FSSL.

Originally posted by @zhaohuabing in #1660 (comment)

@arkodg arkodg added help wanted Extra attention is needed area/api API-related issues area/policy labels Feb 16, 2024
@arkodg arkodg added this to the Backlog milestone Feb 16, 2024
@arkodg
Copy link
Contributor Author

arkodg commented Feb 16, 2024

blocked on upstream implementation in envoy

@zufardhiyaulhaq
Copy link
Contributor

@arkodg do you know the upstream implementation envoy tracking?

@zufardhiyaulhaq
Copy link
Contributor

I think this can be easily implemented by header or query matching right?

@arkodg
Copy link
Contributor Author

arkodg commented Apr 15, 2024

cc @zhaohuabing

@zhaohuabing
Copy link
Member

@arkodg @zufardhiyaulhaq It should be a simple Envoy Filter. I can pick it up when I get some bandwidth.

@arkodg arkodg modified the milestones: Backlog, v1.2.0-rc1 Aug 16, 2024
@arkodg arkodg modified the milestones: v1.2.0-rc1, Backlog Sep 19, 2024
@sanposhiho
Copy link
Contributor

/assign

@arkodg arkodg removed the help wanted Extra attention is needed label Sep 25, 2024
@missBerg
Copy link
Contributor

API Key Auth is also often related to a set of APIs that is accessible with that Key. Often stored elsewhere to determine if the resource (API) being accessed is allowed to be accessed with this Key.

What is the main purpose of this feature? To capture API key values for rate limiting only? Or to do AuthZ enforcement?

And how would we differentiate dynamically if an API key is subscribed to a higher rate limit than another API key?

@gecube
Copy link

gecube commented Oct 3, 2024

@missBerg it is very essential feature for us stopping the adoption of envoy gateway. The primary idea is to use it as AuthZ. Regarding rate limits - we can support different scenarios. Probably starting from separate rate limit for each API key.

And how would we differentiate dynamically if an API key is subscribed to a higher rate limit than another API key?

It should not be an issue.

When the basic rate limiting would be implemented, complex scenarios could be considered (like common rate limit for API keys from one user).

wbpcode added a commit to envoyproxy/envoy that referenced this issue Nov 1, 2024
<!--
!!!ATTENTION!!!

If you are fixing *any* crash or *any* potential security issue, *do
not*
open a pull request in this repo. Please report the issue via emailing
[email protected] where the issue will be triaged
appropriately.
Thank you in advance for helping to keep Envoy secure.

!!!ATTENTION!!!

For an explanation of how to fill out the fields, please see the
relevant section
in
[PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
-->

This PR adds the API for HTTP APIKey Auth Filter that is proposed at
#34877 and
envoyproxy/gateway#2630.

Commit Message: api: HTTP APIKey Auth Filter
Risk Level: Low (only API)
Testing: WIP (will be done after we agree on the API)
Docs Changes: WIP
Release Notes: WIP
Platform Specific Features: No
Part of: #34877

---------

Signed-off-by: Kensei Nakada <[email protected]>
Signed-off-by: wangbaiping(wbpcode) <[email protected]>
Co-authored-by: wangbaiping(wbpcode) <[email protected]>
update-envoy bot added a commit to envoyproxy/data-plane-api that referenced this issue Nov 1, 2024
<!--
!!!ATTENTION!!!

If you are fixing *any* crash or *any* potential security issue, *do
not*
open a pull request in this repo. Please report the issue via emailing
[email protected] where the issue will be triaged
appropriately.
Thank you in advance for helping to keep Envoy secure.

!!!ATTENTION!!!

For an explanation of how to fill out the fields, please see the
relevant section
in
[PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md)
-->

This PR adds the API for HTTP APIKey Auth Filter that is proposed at
envoyproxy/envoy#34877 and
envoyproxy/gateway#2630.

Commit Message: api: HTTP APIKey Auth Filter
Risk Level: Low (only API)
Testing: WIP (will be done after we agree on the API)
Docs Changes: WIP
Release Notes: WIP
Platform Specific Features: No
Part of: #34877

---------

Signed-off-by: Kensei Nakada <[email protected]>
Signed-off-by: wangbaiping(wbpcode) <[email protected]>
Co-authored-by: wangbaiping(wbpcode) <[email protected]>

Mirrored from https://github.com/envoyproxy/envoy @ 72b75074a0ee089ad81f68ae011e31f14c2936fe
Copy link

github-actions bot commented Nov 2, 2024

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Nov 2, 2024
@zhaohuabing zhaohuabing removed the stale label Nov 4, 2024
@arkodg arkodg modified the milestones: Backlog, v1.3.0-rc.1 Nov 22, 2024
@arkodg
Copy link
Contributor Author

arkodg commented Dec 10, 2024

looks like the upstream feature is in, is this something we can get in for v1.3 @sanposhiho ?

@sanposhiho
Copy link
Contributor

sanposhiho commented Dec 11, 2024

Yeah, how do we deal with the compatibility between gateway and envoy? Can we just introduce features in gateway with any latest features on envoy side immediately or do we have to wait for envoy to cut a new release?

@sanposhiho
Copy link
Contributor

Okay, I found:
https://gateway.envoyproxy.io/news/releases/matrix/

So, we can just start this implementation now, do I understand right?

@arkodg
Copy link
Contributor Author

arkodg commented Dec 11, 2024

yeah @sanposhiho, gateway main is based off proxy main

@arkodg
Copy link
Contributor Author

arkodg commented Dec 11, 2024

you'll also need to go getgithub.com/envoyproxy/go-control-plane@<latest>

@BryanFauble
Copy link

+1 to this feature/issue. This is an important feature for me. My use case:

I have OpenTelemetry data that I am ingesting from several sources (https://github.com/Sage-Bionetworks-Workflows/eks-stack/blob/ca523c66abc8d9b91e796c838f5d3c24784048cc/modules/signoz/main.tf#L252-L278 & https://github.com/Sage-Bionetworks-Workflows/eks-stack/blob/ca523c66abc8d9b91e796c838f5d3c24784048cc/modules/signoz/resources-otel-ingress/security-policy.yaml#L1-L13). I am currently enforcing that all incoming requests provide a JWT bearer token, however, I am limited with a monthly quota for the number of tokens that can be created per month via Auth0.

If I can swap to using an API key instead then I will be able to on-board more projects without the concern of filling up my monthly quota. This is also combined by the fact that the AWS supported OTEL collectors (For ECS and Lambda functions) have not implemented https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/oauth2clientauthextension

@sanposhiho sanposhiho linked a pull request Dec 31, 2024 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/api API-related issues area/policy
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants