I would like to deploy this on Kubernetes. Would it make sense for both the Auth Server and the Policy engine to talk to the API Gateway independently or is it more accurate for only the Auth Server to talk to the API Gateway and the OPA to talk to the API Gateway only via the Auth Server
1
There are 1 best solutions below
Related Questions in OAUTH-2.0
- Not getting refresh token with google oauth2
- SoundCloud Authentication Consistently Returns 401 invalid_grant For Some Users
- How can I share Azure Active Directory authentication between server side and client script?
- OAuth2 and API Json request not working with jQuery Call
- Flask-Restful, oauth, and Salesforce
- Bearer token in MVC controller to access Web API
- Revoking OAuth tokens in Mule
- how to signup user using google-plus integradation in web?
- Need to run getAuthToken twice before receiving access token, why?
- chrome.identity.getAuthToken and refresh token?
- dropbox api authentication (Error: [400] 'invalid_client')
- Retrieve Google Sites's Domain Index feed using OAuth 2.0 with Service Account
- hello.js: Is it possible to set the provider's settings dynamically?
- How to share developer account at LinkedIn
- Linkedin Unsupported POST target
Related Questions in AUTHORIZATION
- Using Flat Files for authorization instead of using database tables
- Restrinct action to one single PC under MVC C# web application?
- Outgoing WSS authorization from WebRequest C#
- User is authorised when using IE but not Chrome/Firefox
- C# "The underlying provider failed on Open."
- Can't deny access to role in web.config authorization element
- SonarQube LDAP authentication is not working
- Authorization Model: Context of Role?
- Best practice building login for Node.js using socket.io and express
- Where to apply domain level permissioning
- Should i do authorization on my Domain Services?
- Authorize user by retrieving credentials from LDAP and passing into OAuth 1.0a using Atlassian Stash REST API
- How to redirect to another page from OnAutherization Of MVC in angularjs
- AngularJS header authorization format in Interceptor
- Role concept in the authorization
Related Questions in PINGFEDERATE
- SAML service provider signature verification
- IDP Initated logout in pingfederate
- environment specific variables in pingfederate templates
- mod_auth_openidc How to configure empty OIDCClaimPrefix in mod_auth_openidc.conf
- Multiple Adapters in Ping Federate
- HTMLform IDP adaptor log-out
- How to provide multiple search base in ping federate?
- PingFederate not modifying HTTP headers
- Ping Federate Clustering HA for Admin Console
- PingFederate is not sending back relayState in its response
- Keycloak IdP brokering to SAML 2.0 IdP providers (ping federate)
- Netsuite as an Identity Provider - Ping (SAML 2.0)
- SAML Provider/Implementations Compatible?
- Integrating locally installed PingFederate with Facebook
- In PingFed, how can I rebuild my setup on local so that my properties files that I have imported in take into effect?
Related Questions in ABAC
- Authorization Model: Context of Role?
- Asp.net 4 Webforms Authorization using attribute
- XACML: How to control the access to the properties in a resource
- Complex Authorization using XACML
- WSO2 Identity server GUI creating different attribute id for policy and request
- Unknown tag encountered parsing AttributeCertificate from DER file with BouncyCastle
- py-abac pdp implementation failing for correct "rules" match also
- how to match XACML 3.0 request against policy stored in policy store
- Compare attributes inside a XACML policy
- In which layer to implement RBAC in a web application?
- Keycloak java script policy not visible after deploying as jar as per keycloak documentation
- Fine-grained authorization for web applications
- In wso2 IS XACML policy how to validate role and its permissions
- Is there a way to define variables externally from XACML policy and refer them from inside the policy rules
- AWS IAM assuming same role with session tag for tenant isolation
Related Questions in AUTHZFORCE
- Check Request Headers using XACML in Fiware platform
- XACML Authzforce PDP Custom Policies
- Authzforce problem installation unhealthy
- Authzforce - XACML AttributeSelector
- Authzforce does not store policies?
- Failed Permitted Access XACML
- Where to double-check attributes of the XACML-request against Attribute-Providers at the PDP?
- Problems creating a domain in Fiware AuthZforce Authorization Server
- Authzforce - Existing GUI for policy administration (PAP)
- How to do logical AND for Rule combining for XACML
- Authzforce - Simple ABAC policy creation fails
- AuthZForce PDP not behaving as expected
- XACML AuthzForce - Evaluating a request not in XACML 3.0 format
- XACML Authzforce PDP configuration in multiple policy files
- AuthZforce use without fiware enablers
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
At Curity we have some good resources related to this. Usually the first key consideration is around components that use data sources:
These are always deployed with a reverse proxy / gateway in front of them, so that an attacker has to breach 2 layers to access data sources - this is covered in our IAM Primer.
In addition the gateway can then provide some interesting capabilities:
Token Introspection and Caching
Dynamic Routing
In terms of OPA it depends how you will use it - here are a couple of possible options:
Gateway calls OPA to perform high level checks to grant or deny accesx as in this OPA use case
The API calls OPA and passes it a Claims Principal, then uses the response to decide how to filter results, as described in our Claims Best Practices article