Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: decision record about authentication configuration #4300

Merged
merged 1 commit into from
Jun 25, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Api Authentication Configuration

## Decision

A new extension will be introduced for configuring the `ApiAuthenticationRegistry`

## Rationale

Recently, the `ApiAuthenticationRegistry` was introduced for associating a web context to a `AuthenticationService` in
order to use different auth mechanism for different contexts. Currently though, this association is expressed
in each `AuthenticationService` extension, which makes ti difficult to apply an `AuthenticationService` to a different
context compared to the current hardcoded one.

## Approach

Each implementor of `AuthenticationService` will also implement an `ApiAuthenticationProvider` which will provide an
instance of `AuthenticationService` based on the input configuration.

```java
public interface ApiAuthenticationProvider {

Result<AuthenticationService> provide(Config config);
}
```

Those providers can be registered in a registry `ApiAuthenticationProviderRegistry`, associated with the auth type (
basic,token, delegated, ...)

```java
public interface ApiAuthenticationProviderRegistry {

void register(String type, ApiAuthenticationProvider provider);

Result<ApiAuthenticationProvider> resolve(String type);
}
```

Then the new extension, leveraging the partition mechanism of EDC `web.http` config, will configure the association
between the context and the auth type in the prepare phase.

For example if a user wants to configure the `TokenBasedAuthenticationService` for the `management` context, a
configuration like this could be used:

```
web.http.management.auth.type=tokenbased
web.http.management.auth.key.alias=vaultAlias
```

For each web context the extension will read the `auth.type` if present, and will invoke the provider for that type with
the input configuration, associating then the created instance with the configured `context` in
the `ApiAuthenticationRegistry`.

> For backward compatibility we will leave in place the current hardcoded association
> context <-> `AuthenticationService`
1 change: 1 addition & 0 deletions docs/developer/decision-records/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,3 +56,4 @@
- [2023-12-19 Token Handling Refactor](./2023-12-19-token-handling-refactor/)
- [2024-01-12 Dynamic Constraint Functions](./2024-01-12-dynamic-constraint-functions/)
- [2024-05-24 Dataplane Selection Improvements](./2024-05-24-dataplane-selection-improvements/)
- [2024-06-24 Api Authentication Configuration](./2024-06-24-api-authentication-configuration/)
Loading