I want to set up a conditional reverse proxy feature with Envoyproxy, based on an OAuth access token, between my users and my application. I have already present a keycloack instance generating access tokens, and inside the generated access token there is a already a custom attribute "mygroups" with a list of business groups.
I have the following constraints :
- Users must get the access token from my keycloack instance; no valid access token means no access (which is pretty usual, I can do that without any problem)
- Reverse proxying must be finer according to access token custom attribute list "mygroups" :
- Every user must be able to access /myapp/all/*
- Only users with the group "admins" present in the access token custom attribute list "mygroups" can access /myapp/admin/*
- Only users with the group "sales" present in the access token custom attribut list "my groups" can access to /myapp/sales/*
I am not able to find information on how to configure that more fine level "proxification".
Can someone propose an efficient way to configure Envoyproxy in my use case ?
Or is that a very bad idea to try to use Envoy like that, and another pattern should be considered (sadly I have very few possibility to modify the existing access token generation).
Many thanks to all !
The best thing I was able to find so far is to use JWT_filter and ext_authz_filter as done by juanvasquezreyes here JWT_filter and ext_authz_filter
But it needs to be tuned to my specific access token and more important seems a little bit hacky / perhaps not very simple and fit for production.