Passing auth result (client identity) to backend

[myidpt]

When mTLS is enabled, Sever side Envoy needs to send the client identity to the backend through HTTP header, so that backend can do its own check/processing based on the client identity.
Questions:
What HTTP header do we use?
How do we support this for non-HTTP requests (This is a stretch goal)?

[mattklein123]

@myidpt I'm not sure that this an Envoy specific question exactly. It seems like you need to write a filter to set some header based on some parameters of the client connection. Unless you are asking to specify some format that we would perform automatically for all requests? Can you expand please?

[myidpt]

I think it would be good to automatically set the client identity for all requests that did mTLS. But it also works for us if we use a filter to achieve the goal.
I think this is a question for Envoy whether to automatically set the header for all mTLS requests.

[mattklein123]

I'm open to setting a header by default, but:

1. What would the header be.
2. What would be in it?

Can you propose something?

[myidpt]

@lookuptable @lizan @wlu2016
I think we need more discussion on that.
Some options:
"from" header (https://en.wikipedia.org/wiki/List_of_HTTP_header_fields)
"x-ssl-" headers that some people used, probably not standardized.
Currently, we should have the client identity in it, resolved from client-cert SAN.

[PiotrSikora]

From is supposed to contain reachable email address, so we probably shouldn't use it, see RFC7231, sec. 5.5.1.

[lookuptable]

Thinking more about this, does it make more sense for us to have our own filter to do header injection? This allows us to do Istio specific sanitization (e.g. ignore non-URI identities in the SAN list) and use headers like x-istio-service-account.

[mattklein123]

I am skeptical that we are going to find a common header to fit this use case, and will probably need to make one up like the other x-envoy headers. However, since you already have your mixer filter, you could probably just do it there if you want specific functionality.

[wenchenglu]

we should give this a more generic name, x-service-account will be better than x-istio-service-account. We should also consider a consistent story passing other auth info to the backend like email address, group, issuer, etc. We have been using jwt token or json object to convey these info in the past. Since this is not an urgent feature, lets prepare a design to cover all these scenarios first.

[louiscryan]

I think there is utility in making this generic to Envoy. In advanced deployments having an edge proxy forward details about the TLS negotiation to backends can be useful x-forwarded-proto is an example of doing this but it doesn't help with mutual auth.

Theres some doc with HAProxy which is still pretty generic but it doesn't cover SANs

https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html#Sending_certificate_details_to_backend_application

and I wouldn't suggest we adopt their nomenclature. I think

x-forwarded-client-cert-****
e.g.
x-forwarded-client-cert-name -> common name
x-forwarded-client-cert-san -> SAN
etc..

fits better with whats already present. If Envoy was going to pick up generic header rewriting capabilities then I think we could use that.

Don't think we need to use x-envoy given that there's already a rough convention for x-forwarded-*.

@htuch - thoughts?

[htuch]

One issue to think about if we add fixed support into Envoy is how we handle multi-level proxying. XFF gets appended as you go, so you would have to be able to do something similar with the client cert info and make sure you keep all headers in sync (e.g. every proxy would have to insert all headers).

By generic header rewriting capabilities are you talking about something like https://support.citrix.com/article/CTX114461 (but obviously in the Envoy config and some way of getting at Envoy internal fields like the SSL cert name by label)?

BTW, looks like XFF and friends are now in the forwarded header covered by RFC https://tools.ietf.org/html/rfc7239.

[louiscryan]

I think side-car proxies might be the exception to XFF appending rules, there's not much use to the extra appending if the proxy is logically part of the receiving application.

Beyond that I think appending is the desired behavior though it clearly becomes tricky when were talking about appending details about things which are auth related. There is potential for the ultimate receiver to have confusion unless we're careful about the details. Maybe instead of separate headers for parts of the cert we have just one header and a format inside it? E.g.

X-Forwarded-Client-Cert: name=X; SAN=A; SAN=B; hash=1fd445e2

and then folks get to configure which of the fields in that format are filled out. This would allow normal header concatenation rules to apply while keeping the correlation with hops clear.