Re: [I] feat: the headers not returned by the forward-auth plugin auth service should be set to empty request headers [apisix]

Thu, 22 May 2025 06:43:25 -0700 


coder2z commented on issue #11738:
URL: https://github.com/apache/apisix/issues/11738#issuecomment-2901281860

   In a microservices architecture, we have the following components:
   
   * Business Service A: Provides core business functionality
   * Authentication Service (auth-svr): Responsible for user identity 
verification
   * API Gateway APISIX: Request routing and authentication middleware layer
     
   The API endpoint /a/b/c is a public interface for retrieving content lists 
(such as news feeds) and supports both authenticated and unauthenticated user 
access.
   
   Request Flow Diagrams:
   
   1. Authenticated User Request Flow:
   ```
   ┌───────────┐     ┌───────────┐     ┌───────────┐     ┌───────────┐
   │   Client  │     │   APISIX  │     │  auth-svr │     │ Business  │
   │ (Logged in)│────►│ API Gateway│────►│  Auth Svc │────►│ Service A │
   └───────────┘     └───────────┘     └───────────┘     └───────────┘
     Request Hdrs:     Forwarded Hdrs:   Verification:     Received Hdrs:
     userid=123        userid=123       (Valid userid)      userid=123
      token=xyz         token=xyz                           token=xyz
   
   ```
   2. Unauthenticated User Request Flow:
   
   ```
   ┌───────────┐     ┌───────────┐     ┌───────────┐     ┌───────────┐
   │   Client  │     │   APISIX  │     │  auth-svr │     │ Business  │
   │(Not logged)│────►│ API Gateway│────►│  Auth Svc │────►│ Service A │
   └───────────┘     └───────────┘     └───────────┘     └───────────┘
     Request Hdrs:     Forwarded Hdrs:   Verification:     Received Hdrs:
     userid=empty      userid=empty    (No userid needed)   userid=empty
      token=empty       token=empty                         token=empty
   
   ```
   3. Security Issue: Unauthenticated User with Forged userid:
   
   ```
   ┌───────────┐     ┌───────────┐     ┌───────────┐     ┌───────────┐
   │   Client  │     │   APISIX  │     │  auth-svr │     │ Business  │
   │(Not logged)│────►│ API Gateway│────►│  Auth Svc │────►│ Service A │
   └───────────┘     └───────────┘     └───────────┘     └───────────┘
     Request Hdrs:     Forwarded Hdrs:   Token Verification:  Received Hdrs:
     userid=123        userid=123        Failed              userid=123 ❌
      token=empty       token=empty     (Forged userid)       token=empty
   
   ```
   Requirement: When the auth-svr verifies that a user is not authenticated but 
the request contains a userid header, this forged userid should be removed from 
the request headers to ensure that no unverified user identifiers are passed to 
the business service.
   
   Expected Flow:
   
   ```
   ┌───────────┐     ┌───────────┐     ┌───────────┐     ┌───────────┐
   │   Client  │     │   APISIX  │     │  auth-svr │     │ Business  │
   │(Not logged)│────►│ API Gateway│────►│  Auth Svc │────►│ Service A │
   └───────────┘     └───────────┘     └───────────┘     └───────────┘
     Request Hdrs:     Forwarded Hdrs:   Token Verification:  Received Hdrs:
     userid=123        userid=123        Failed              userid=empty ✓
      token=empty       token=empty     (Remove forged userid) token=empty
   
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to