Server Authz Endpoints

Configuration

Example Configuration

This section is intended as an example configuration to help users with a rough contextual layout of this configuration section, it is not intended to explain the options. The configuration shown may not be a valid configuration, and you should see the options section below and the navigation links to properly understand each option individually.

configuration.yml
server:
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'
        authn_strategies:
          - name: 'HeaderAuthorization'
            schemes:
              - 'Basic'
          - name: 'CookieSession'
      ext-authz:
        implementation: 'ExtAuthz'
        authn_strategies:
          - name: 'HeaderAuthorization'
            schemes:
              - 'Basic'
          - name: 'CookieSession'
      auth-request:
        implementation: 'AuthRequest'
        authn_strategies:
          - name: 'HeaderAuthRequestProxyAuthorization'
            schemes:
              - 'Basic'
          - name: 'CookieSession'
      legacy:
        implementation: 'Legacy'
        authn_strategies:
          - name: 'HeaderLegacy'
          - name: 'CookieSession'

name

string required

The first level under the authz directive is the name of the endpoint. In the example these names are forward-auth, ext-authz, auth-request, and legacy.

The name correlates with the path of the endpoint. All endpoints start with /api/authz/, and end with the name. In the example the forward-auth endpoint has a full path of /api/authz/forward-auth.

Valid characters for the name are alphanumeric as well as - and _. They MUST start AND end with an alphanumeric character.

implementation

string required

The underlying implementation for the endpoint. Valid case-sensitive values are ForwardAuth, ExtAuthz, AuthRequest, and Legacy. Read more about the implementations in the reference guide.

authn_strategies

list not required

A list of authentication strategies and their configuration options. These strategies are in order, and the first one which succeeds is used. Failures other than lacking the sufficient information in the request to perform the strategy immediately short-circuit the authentication, otherwise the next strategy in the list is attempted.

name

string required

The name of the strategy. Valid case-sensitive values are CookieSession, HeaderAuthorization, HeaderProxyAuthorization, HeaderAuthRequestProxyAuthorization, and HeaderLegacy. Read more about the strategies in the reference guide.

schemes

list(string) Basic not required

The list of schemes allowed on this endpoint. Options are Basic, and Bearer. This option is only applicable to the HeaderAuthorization, HeaderProxyAuthorization, and HeaderAuthRequestProxyAuthorization strategies and unavailable with the legacy endpoint which only uses Basic.