diff options
| author | James Elliott <james-d-elliott@users.noreply.github.com> | 2025-02-24 18:49:15 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-02-24 18:49:15 +1100 |
| commit | 05fa254f27e6a1eee89abe8c5512d27de77cd7e7 (patch) | |
| tree | 8f56e80b855f611000fe142303026f0ed71ef7ed /docs | |
| parent | 194dd221ab7a5f2c9667b967532152df4914226a (diff) | |
feat(handlers): basic authz caching (#8320)
This adds the ability to cache successful basic authz attempts. This is done via a memory store that uses the HMAC-SHA256 algorithm to perform irreversible comparison of input parameters and has a maximum lifetime.
Closes #5006
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/content/configuration/miscellaneous/server-endpoints-authz.md | 14 | ||||
| -rw-r--r-- | docs/static/schemas/v4.39/json-schema/configuration.json | 14 |
2 files changed, 25 insertions, 3 deletions
diff --git a/docs/content/configuration/miscellaneous/server-endpoints-authz.md b/docs/content/configuration/miscellaneous/server-endpoints-authz.md index 2f5e943fa..3dc50f5b3 100644 --- a/docs/content/configuration/miscellaneous/server-endpoints-authz.md +++ b/docs/content/configuration/miscellaneous/server-endpoints-authz.md @@ -33,6 +33,7 @@ server: - name: 'HeaderAuthorization' schemes: - 'Basic' + scheme_basic_cache_lifespan: 0 - name: 'CookieSession' ext-authz: implementation: 'ExtAuthz' @@ -40,6 +41,7 @@ server: - name: 'HeaderAuthorization' schemes: - 'Basic' + scheme_basic_cache_lifespan: 0 - name: 'CookieSession' auth-request: implementation: 'AuthRequest' @@ -47,12 +49,10 @@ server: - name: 'HeaderAuthorization' schemes: - 'Basic' + scheme_basic_cache_lifespan: 0 - name: 'CookieSession' legacy: implementation: 'Legacy' - authn_strategies: - - name: 'HeaderLegacy' - - name: 'CookieSession' ``` ## name @@ -99,3 +99,11 @@ the [reference guide](../../reference/guides/proxy-authorization.md#authn-strate The list of schemes allowed on this endpoint. Options are `Basic`, and `Bearer`. This option is only applicable to the `HeaderAuthorization`, `HeaderProxyAuthorization`, and `HeaderAuthRequestProxyAuthorization` strategies and unavailable with the `legacy` endpoint which only uses `Basic`. + +#### scheme_basic_cache_lifespan + +{{< confkey type="string,integer" syntax="duration" default="0 seconds" required="no" >}} + +The lifespan to cache username and password combinations when using the `Basic` scheme. This option enables the use +of the caching which is completely disabled by default. This option must only be used when the `Basic` scheme is +configured, and like all new options may not be used with the `Legacy` implementation. diff --git a/docs/static/schemas/v4.39/json-schema/configuration.json b/docs/static/schemas/v4.39/json-schema/configuration.json index 532545a9a..0b588560d 100644 --- a/docs/static/schemas/v4.39/json-schema/configuration.json +++ b/docs/static/schemas/v4.39/json-schema/configuration.json @@ -3261,6 +3261,20 @@ "default": [ "basic" ] + }, + "scheme_basic_cache_lifespan": { + "oneOf": [ + { + "type": "string", + "pattern": "^\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?))(\\s*\\d+\\s*(y|M|w|d|h|m|s|ms|((year|month|week|day|hour|minute|second|millisecond)s?)))*$" + }, + { + "type": "integer", + "description": "The duration in seconds" + } + ], + "title": "Scheme Basic Cache Lifespan", + "description": "The lifespan for cached basic scheme authorization attempts." } }, "additionalProperties": false, |