Proxy supports authentication / authorization for specific routes

[Tratcher]

When defining proxy routes we should be able to specify Authorization criteria for that route and avoid proxying requests until that criteria is met.

This will need some support to be specified from config (probably by specifying the name of an authz policy that's configured in code), but it should also be configurable when using other data sources.

[Kahbazi]

avoid proxying requests until that criteria is met

This would be done by AuthorizationMiddleware, YARP doesn't need to do anything, right?

This could be the config.

"Routes": [
  {
    "RouteId": "backend1/route1",
    "BackendId": "backend1",
    "Match": {
      "Methods": [ "GET", "POST" ],
      "Host": "localhost",
      "Path": "/{**catchall}"
    },
    "AllowAnonymous": false,
    "Authorize": [
      {
        "Policy": "Policy1",
        "Roles": "Role1,Role2",
        "AuthenticationSchemes": "jwt"
      },
      {
        "Policy": "Policy2",
        "Roles": "Role3",
        "AuthenticationSchemes": "jwt"
      }
    ]
  }
]

and we could create IAuthorizeData, IAllowAnonymous in
https://github.com/microsoft/reverse-proxy/blob/ea7164c689ea06343b99a30aa7feecef4eda215d/src/ReverseProxy.Core/Service/DynamicEndpoints/RuntimeRouteBuilder.cs#L51-L66

My only question is that do we need two identical class for Authorize? One for ProxyRoute and one for ParsedRoute?

[Tratcher]

avoid proxying requests until that criteria is met

This would be done by AuthorizationMiddleware, YARP doesn't need to do anything, right?

Right. MVC does have an extra safety check in it to make sure the AuthorizationMiddleware ran, and we might copy that, but that should be all we need.

I hesitate to actually craft Authorize policies from scratch as part of the proxy config. If we really want to build those in config then that should be an AspNetCore feature outside of the proxy section that we reference by policy name.

[Kahbazi]

I hesitate to actually craft Authorize policies from scratch as part of the proxy config. If we really want to build those in config then that should be an AspNetCore feature outside of the proxy section that we reference by policy name.

I'm on the same page with you. Policy1 and Policy2 that I wrote in config would be a reference to ASP.NET Core policies. Just like the authentication scheme.

Do you think there should be also a config to set authorization for all routes?

[Tratcher]

Do you think there should be also a config to set authorization for all routes?

I don't know. I wonder how often you'd be able to use the same policy for every route? And if you did, that doesn't seem like dynamic data anymore so you'd probably do it in code?

[WeihanLi]

Do you think there should be also a config to set authorization for all routes?

I don't know. I wonder how often you'd be able to use the same policy for every route? And if you did, that doesn't seem like dynamic data anymore so you'd probably do it in code?

maybe compose Backend authorization and Route authorization is better, like controller and action in mvc, use route authorization policy if route policy exists, otherwise use backend authorization policy

[Tratcher]

maybe compose Backend authorization and Route authorization is better, like controller and action in mvc, use route authorization policy if route policy exists, otherwise use backend authorization policy

I don't follow. There wasn't any proposal here to have backend authorization policies, only route auth policies.