Each request that matches with /auth/:intent schema, is forwarded to the auth service endpoints depending on the intents (i.e., signin, signout, signup).
Each request that begins with /api/..., is evaluated to match with predefined paths (matchPaths[].value property in config.yaml):
If matching occurs, the gateway determines whether end-user is authorized by interacting with the auth service endpoint
If claimed authorization is valid:
Binds the unique identifier (i.e., ID) of verified user to the predefined header (auth.internal.idHeader property in config.yaml). By that way, internal services can trust this header to recognize the authenticated end-user.
Ultimately, the request of end-user is forwarded to the target service by reverse proxy.
😒 Some limitations
All auth service paths (e.g., signupPath) must allow HTTP POST method
After the successful validation of an end-user session, auth service must return a JSON response with the following property:
id: "System-wide strictly unique identifier" of an end-user.
All requests, which are going towards internal services, must be fully authorized. For the time being, different paths that belong to same service cannot be excluded from authorization process conditionally. In brief, no public API endpoints yet!