DevConf.US 2022

How do you handle authentication and authorization in your API projects? Do you bake them as part of your application’s code?

It turns out that decoupling your application’s runtime auth layer to an external authorization service is a good practice that improves maintainability, scalability and performance, governance, among other aspects of the software process and operation. And there are secure and practical ways to do so. Even better when the tools you rely on are made for Kubernetes and the cloud context we all live in nowadays!

This talk will introduce one of the latest developments in API protection, sponsored by Red Hat, a general-purpose Kubernetes-native external authorization service, that pairs with Envoy Proxy's external authorization protocol for identity verification and authorization policy enforcement. We will walk you through the steps of protecting an API ecosystem or API mesh, for use cases such as of authentication and authorization based on JWTs and OpenID Connect, API keys, Kubernetes TokenReviews and SubjectAccessReviews (aka Service Account tokens and Kube RBAC), Open Policy Agent, and many other patterns and auth technologies, using one single tool.

It is not a proxy, it is not another Identity Provider/SSO server, it doesn’t involve changing your application’s code. At the same time, it’s clean, versatile, cloud-native, and of course it’s open source. It’s Authorino!

After this talk, you will feel comfortable to implement state of the art Zero Trust API security for your applications running on Kubernetes, by just writing a small piece of YAML code.