apisix icon indicating copy to clipboard operation
apisix copied to clipboard

Published 20 hours ago verified publisher icon apache

APISIX to handle all handshake between my client application and the 3rd party service, including getting token, refreshing token, etc.

Open janmpo opened this issue 10 months ago • 2 comments

Description

As a user, I want to rely on APISIX for everything related with 3rd party authentication / authorization (not my own services), so that I can centralize all API request in APISIX including APIs that do not belong to me.

Rationale: nowadays all the management of credentials is done inside the application and every 3rd party imposes you to use user/pass or openidc or oauth2 or others authn / authz mechanisms.

In this way I can provide a single entry point to my code and rely on APISIX for the different tasks that involves getting access (i.e.: if it is an oauth2 APISIX will be in charge of getting the token, add the token header to my app REST request, refresh automatically the token, etc) and my code applications will use an APISIX route which is protected as any other route but with the difference that this route is a 3rd party one getting rid off of all the complexity of the different accesses method of API service providers.

From the API service provider, it will get the same headers, and will notice no difference, as if it were coded in my client but the magic will be done by APISIX.

All SSL handshake and others will be done by APISIX in order to manipulate the headers / messages properly.

On top of, all the credentials will be stored on APISIX and my application is not aware of this credentials (only the ones to access APISIX routes).

As far as I seen on APISIX keycloak-authz has a mechanisim to get the token via "password_grant_token_generation_incoming_uri" however the idea is that APISIX is in charge of everything not only to deliver the new token to the application.

Finally, I don't know if it has sense to include it in APISIX, as far as I read APISIX is related on how to get rid off of the access complexity to your own services instead of third party.

Thanks for reading and my apologizes if it has no sense.

janmpo avatar Mar 31 '24 19:03 janmpo

this is going to be very big 😅

shreemaan-abhishek avatar Apr 04 '24 06:04 shreemaan-abhishek

Yes, i know... actually I don't know whether is should be inside APISIX or should be other project...

But if you think about it, APISIX and other oauth2 proxies does much more complex things on the server / proxy side.

It comes to my mind APISIX lua scripts (I have no clue about lua), but perhaps a lua script inside APISIX instead of denying or allowing the access, can be in charge of getting / refreshing the token needed, add the header to the request and do the magic...

Thanks for your comment!

this is going to be very big 😅

janmpo avatar Apr 04 '24 16:04 janmpo