Enhancement Proposal: Authentication Filter

[shaun-nx]

Proposed changes

Status set to Implementable after merging #4136

This document proposes a solution for enabling Authentication use cases through NGINX Gateway Fabric.

Closes #4052

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

NONE

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.06%. Comparing base (668d4fb) to head (a0c8c04).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4235      +/-   ##
==========================================
- Coverage   86.08%   86.06%   -0.03%     
==========================================
  Files         132      132              
  Lines       14342    14342              
  Branches       35       35              
==========================================
- Hits        12347    12344       -3     
- Misses       1791     1793       +2     
- Partials      204      205       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[salonichf5]

set defaults using kubebuilder: default

[sjberman]

If this is an optional field though, it shouldn't have a default.

[shaun-nx]

Is this a blanket statement? In the case of JWTTokenType, that is defined as an optional field. (i.e. it's optional for the user to set it) but we default to assigning the value to signed (e.g. auth_jwt_type signed;)

In the NGINX documentation, this directive defaults to signed when the directive is not specified.
So in my mind, making is optional for the user to specify this field, and providing a default value for it makes sense to me.

What are your thoughts?

[sjberman]

That's fine

[shaun-nx]

Thanks @sjberman
I did a review of the current optional fields with defaults. From what I can see, they should stay with those defaults. Curious what you think though.
These are:

// +optional
// +kubebuilder:default="Restricted"
Realm *string `json:"realm,omitempty"`

// +optional
// +kubebuilder:default=60s
Leeway *v1alpha1.Duration `json:"leeway,omitempty"`

// +optional
// +kubebuilder:default=signed
Type *JWTTokenType `json:"type,omitempty"`

// +optional
// +kubebuilder:default=access_token
TokenName string `json:"tokenName,omitempty"`

// +optional
// +kubebuilder:default=401
StatusCode *int32 `json:"statusCode,omitempty"`

// +optional
// +kubebuilder:default=Basic
Scheme *AuthScheme `json:"scheme,omitempty"`

// +optional
// +kubebuilder:default=Unauthorized
BodyPolicy *AuthFailureBodyPolicy `json:"bodyPolicy,omitempty"`

[ciarams87]

These are mostly focussed on typos I spotted while doing a first pass, I haven't fully absorbed the content yet

[ciarams87]

Suggested change

	Our decision to go forward with our own `AuthenticationFilter` was to ensure we could quckly provide authenticaiton to our users while allowing us to closley monitor progress of the ExternalAuthFilter.
	Our decision to go forward with our own `AuthenticationFilter` was to ensure we could quickly provide authentication to our users while allowing us to closely monitor progress of the ExternalAuthFilter.

[sjberman]

To be clear, this proposed AuthenticationFilter is to supply different auth methods than provided in the ExternalAuth filter, and is technically unrelated.

[shaun-nx]

@sjberman that's not entirely true. If we went forward with ExternalAuth filter, we could build out an external auth service that uses NGINX. It wouldn't prevent us from supplying those auth methods.

[sjberman]

But that is unrelated to this AuthenticationFilter. This filter is to configure our NGINX data plane to perform native auth, without the need for an external entity. The ExternalAuthFilter is for just using an external entity for auth, whatever that entity may be (it wouldn't be our direct NGINX data plane, but it could be an external NGINX instance).

These are two different solutions for implementing auth for the user, and are not technically related to each other. I only mention this because this sentence in the doc implies that this Filter is being implemented as a workaround to the ExternalAuth filter, but it's really not, it's a different auth solution. Just being pedantic.

[shaun-nx]

@sjberman do you think this statement needs to be changed in any way?

[sjberman]

This is fine

[sjberman]

I'll do a more thorough review once I'm back online full time.

[sjberman]

To be clear, this proposed AuthenticationFilter is to supply different auth methods than provided in the ExternalAuth filter, and is technically unrelated.

[sjberman]

Realm has a default here but not in Basic Auth. Is that ok? And does it need to be capitalized?

[shaun-nx]

Good catch. It doesn't need to be capitalized. This is mostly just for error logging from auth requests.

[sjberman]

Should we lowercase it then?

[shaun-nx]

We certainly can. The example in the nginx basic auth and jwt auth docs show the realm set as "closed site" so there really isn't any standard default for this.

This mainly is used for things like credential caching. It uses scheme + origin + realm as the cache key.

As I think about it more, it might be safer to leave this as an empty string by default so users don't get confused by behaviour.

What do you think?

[sjberman]

is this the nginx default? If so, I don't think it's needed in here. Same for any other fields that may already be nginx defaults. Up until now we haven't set nginx defaults directly in the policy, because if they ever change, then we have to update our policy too.

[shaun-nx]

I see. Thanks for catching that. For auth_jwt_leeway it defaults to 0s, so we can leave the default out of this one.
I'll make that same adjustment for the other fields. From what I ready up, 60s is a recommended setting in most scenarios when adjusting for clock skew. We can just document that though.

[shaun-nx]

This has been changed now. The comment shows +kubebuilder:default=0s to reflect the NGINX docs

[sjberman]

If we don't want a default, then we don't need that comment at all. just let nginx define it, we don't need to set it in the policy

[sjberman]

I think this should probably be named KeyMode to be more specific.

[sjberman]

Sorry, when I commented this I meant the field name, not the type. The type can stay as JWTKeyMode

[sjberman]

Same with the other fields that I left similar comments on.

[sjberman]

I'd name this FileKeySource, since File by itself isn't really clear

[sjberman]

RemoteKeySource for same reasons

[sjberman]

TokenType is more specific

[sjberman]

Any field types that have the name JWTToken in them should just be JWT, since the T in JWT stands for Token.

[sjberman]

I'm not opposed to having JWT in the names of these fields. It makes it clear that they are for JWT. My only gripe was having JWTToken, which is redundant.

[shaun-nx]

When I looked over it, while KeyMode was only related to JWT right now, the NGINX OIDC Module lets you specify a local secret, as well as a remote URL. So this could eventually be re-used when we implement OIDC auth

That being said, I'll look back over it and see if other fields where JWT was removed could still keep it.

[sjberman]

Should we lowercase it then?

[sjberman]

Being that JWT is an NGINX Plus feature, we should also outline that fact, and what the behavior would be if an OSS user attemps to specify it (probably reject it, make the route as invalid).

[shaun-nx]

Being that JWT is an NGINX Plus feature, we should also outline that fact, and what the behavior would be if an OSS user attemps to specify it (probably reject it, make the route as invalid).

Good point. I'll add that to the Status section.
Since we only process Filters that are attached to a HTTPRoute/GRPCRoute, should we reject the route itself, or can we "reject" the reference itself without needing to reject the route resource?

[sjberman]

Good point. I'll add that to the Status section.
Since we only process Filters that are attached to a HTTPRoute/GRPCRoute, should we reject the route itself, or can we "reject" the reference itself without needing to reject the route resource?

We should mark the rule invalid, but not the entire route. Other rules that don't use the filter can still work as intended, but this rule should not.

[shaun-nx]

Good point. I'll add that to the Status section.
Since we only process Filters that are attached to a HTTPRoute/GRPCRoute, should we reject the route itself, or can we "reject" the reference itself without needing to reject the route resource?

We should mark the rule invalid, but not the entire route. Other rules that don't use the filter can still work as intended, but this rule should not.

Sounds good. I'll make a note of that. Thanks @sjberman 👍

[sjberman]

Suggested change

	If a user attempts to attach a JWT tpye AuthenticationFilter while using NGINX OSS, the rule referncing the filter will be `Rejected`.
	If a user attempts to attach a JWT type AuthenticationFilter while using NGINX OSS, the rule referencing the filter will be `Rejected`.

[sjberman]

Is Invalid an option? UnresolvedRef generally means "we couldn't find this resource".

[salonichf5]

I think you want to use the ResolvedRefs condition on the Route to show an error message but condition should still be true to not mark the route invalid. You said you will just remove the route rule to handle the error. Similar to this.

[salonichf5]

and the route rule referencing the extensionRef should be rejected. Resource makes it sound like the route would be rejected.

[salonichf5]

just one small edit. Lgtm

[sjberman]

Let's not use SecretRef as the name either, for flexibility.

[sjberman]

Just some nits

[sjberman]

Suggested change

	These fields allow for more customization of how the JWT auth behavtes, but aren't required for the minial delivery of JWT Auth.
	These fields allow for more customization of how the JWT auth behaves, but aren't required for the minimal delivery of JWT Auth.

[sjberman]

Suggested change

	Example GoLang API changes:
	```go
	Example GoLang API changes:
	```go

[sjberman]

Suggested change

	Example: Grant BasicAuth in app-ns to read a Secret in security-ns
	```yaml
	Example: Grant BasicAuth in app-ns to read a Secret in security-ns
	```yaml

[sjberman]

Suggested change

	AuthenticationFilter referencing the cross-namespace Secret
	```yaml
	AuthenticationFilter referencing the cross-namespace Secret
	```yaml

[sjberman]

Suggested change

	Example of what implementation of these fields might look like:
	```yaml
	Example of what implementation of these fields might look like:
	```yaml

[sjberman]

This image is probably outdated a bit for the field names.

[sjberman]

It may not even be that necessary to have, up to you.

[sjberman]

I wonder if we set a default key that we can use in our docs so users don't have to specify this unless they explicitly change it.