[GitHub] [apisix] Gallardot opened a new issue, #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Gallardot (via GitHub)" <gi...@apache.org>]

Gallardot opened a new issue, #9233:
URL: https://github.com/apache/apisix/issues/9233

   ### Description
   
   As a user, I want the `forward-auth` plug-in to allow degradation when authorization service is unavailable, which is suitable for some special scenarios. 
   
   https://github.com/apache/apisix/blob/809ba09b26ddd62e0efa612f85e90d1aa938ce02/apisix/plugins/forward-auth.lua#L122-L126
   
   ps: For example, the [limit-count](https://apisix.apache.org/docs/apisix/plugins/limit-count/) plugin supports degradation when redis is unavailable
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] monkeyDluffy6017 closed issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["monkeyDluffy6017 (via GitHub)" <gi...@apache.org>]

monkeyDluffy6017 closed issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.
URL: https://github.com/apache/apisix/issues/9233


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Sn0rt commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Sn0rt (via GitHub)" <gi...@apache.org>]

Sn0rt commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1504806841

   If a business system is configured with authentication and the authentication module is down, it is expected that the business system will refuse user authentication.
   
   This is different from cache optimization performance such as redis.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Gallardot commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Gallardot (via GitHub)" <gi...@apache.org>]

Gallardot commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1505045273

   > if the forward-auth support `degradation` config and the `degradation` has been set as `true`. it will pass if the authentication server has no obvious rejection (include auth server down), and only reject the authentication when specifying to return the http status code of 4xx.
   > 
   > Is this what you mean ?
   
   Yes.🤝


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Gallardot commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Gallardot (via GitHub)" <gi...@apache.org>]

Gallardot commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1504907158

   > If a business system is configured with authentication and the authentication module is down, it is expected that the business system will refuse user authentication.
   > 
   > This is different from cache optimization performance such as redis.
   
   @Sn0rt 
   I totally agree with you. However, in some security detection scenarios, this is not mandatory. For example, we send the request to the security detection server through the `forward-auth` plug-in to achieve the effect of enhanced security. If the security detection server  is unavailable, services are not affected.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Sn0rt commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Sn0rt (via GitHub)" <gi...@apache.org>]

Sn0rt commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1505047108

   @leslie-tsang cc


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] shreemaan-abhishek commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["shreemaan-abhishek (via GitHub)" <gi...@apache.org>]

shreemaan-abhishek commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1513052839

   > and the `degradation` option only work for fault tolerance.
   
   IMHO, the correct way to add fault tolerance to an authentication system would be to add more replicas of the authentication server. If the user thinks that it's okay if the authentication is skipped for some requests in the case where authentication server is unavailable, then the user is better off disabling the authentication completely.
   
   Maybe I am missing the author's point, but I don't really think that we should support this feature as it does not serve a bigger purpose.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Sn0rt commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Sn0rt (via GitHub)" <gi...@apache.org>]

Sn0rt commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1513034797

   > > in some internal service security is not mandatory.
   > 
   > Then it's better not to use the plugin than to allow to skip authentication. WDYT?
   > 
   > I mean, at any cost, if we can afford to allow to skip authentication, then there is no point in authenticating all requests. We can TOTALLY skip authentication and not use the `forward-auth` plugin at all.
   
   the user can enable the `forward-auth` plugin for a specific router (path). if the `path` not needs authentication, the user can skip to configure this plugin. 
   
   and the `degradation` option only work for fault tolerance.
   
   @shreemaan-abhishek 
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Sn0rt commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Sn0rt (via GitHub)" <gi...@apache.org>]

Sn0rt commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1504974971

   > > If a business system is configured with authentication and the authentication module is down, it is expected that the business system will refuse user authentication.
   > > This is different from cache optimization performance such as redis.
   > 
   > @Sn0rt I totally agree with you. However, in some security detection scenarios, this is not mandatory. For example, we send the request to the security detection server through the `forward-auth` plug-in to achieve the effect of enhanced security. If the security detection server is unavailable, services are not affected.
   /
   
   got it. in some internal service security is not mandatory. 
   
   if the forward-auth support `degradation` config and the `degradation` has been set as `true`. it will pass if the authentication server has no obvious rejection (include auth server down), and only reject the authentication when specifying to return the http status code of 4xx. 
   
   Is this what you mean ?
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Gallardot commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["Gallardot (via GitHub)" <gi...@apache.org>]

Gallardot commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1514191464

   @shreemaan-abhishek  
   
   We are applying this plugin to a security detection scenario, which expands the capabilities of this plugin. It's not just for user authentication. In the context of security detection. With this plugin, we can capture requests and also intercept them.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] shreemaan-abhishek commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["shreemaan-abhishek (via GitHub)" <gi...@apache.org>]

shreemaan-abhishek commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1512789603

   > in some internal service security is not mandatory.
   
   Then it's better not to use the plugin than to allow to skip authentication using a flag. WDYT? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] shreemaan-abhishek commented on issue #9233: feat: As a user, I want forward-auth plugin to allow degradation , so that appropriate for some special scenarios.

["shreemaan-abhishek (via GitHub)" <gi...@apache.org>]

shreemaan-abhishek commented on issue #9233:
URL: https://github.com/apache/apisix/issues/9233#issuecomment-1514440914

   Let me give it a try I'll be back with a PR soon.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org