dapr
/
docs
mirror of https://github.com/dapr/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'v1.16' into filinto/add-ollama

This commit is contained in:
Mark Fussell 2025-08-28 12:02:08 -07:00 committed by GitHub
parent cb1a850ef2 bcb939c78e
commit 09df81fefc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 124 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
daprdocs/content/en/reference/components-reference/supported-middleware/middleware-oauth2.md
View File

@ -36,6 +36,8 @@ spec:
value: "authorization" value: "authorization"
- name: forceHTTPS - name: forceHTTPS
value: "false" value: "false"
- name: pathFilter
value: ".*/users/.*"
``` ```
{{% alert title="Warning" color="warning" %}} {{% alert title="Warning" color="warning" %}}
@ -54,6 +56,7 @@ The above example uses secrets as plain strings. It is recommended to use a secr
| redirectURL | The URL of your web application that the authorization server should redirect to once the user has authenticated | `"https://myapp.com"` | redirectURL | The URL of your web application that the authorization server should redirect to once the user has authenticated | `"https://myapp.com"`
| authHeaderName | The authorization header name to forward to your application | `"authorization"` | authHeaderName | The authorization header name to forward to your application | `"authorization"`
| forceHTTPS | If true, enforces the use of TLS/SSL | `"true"`,`"false"` | | forceHTTPS | If true, enforces the use of TLS/SSL | `"true"`,`"false"` |
| pathFilter | Applies the middleware only to requests matching the given path pattern | `".*/users/.*"`
## Dapr configuration ## Dapr configuration
@ -71,6 +74,67 @@ spec:
type: middleware.http.oauth2 type: middleware.http.oauth2
``` ```
## Request path filtering
The `pathFilter` field allows you to selectively apply OAuth2 authentication based on the HTTP request path using a regex pattern. This enables scenarios such as configuring multiple OAuth2 middlewares with different scopes for different API endpoints, implementing the least privilege principle by ensuring users only receive the minimum permissions necessary for their intended operation.
### Example: Separate read-only and admin user access
In the following configuration:
- Requests to `/api/users/*` endpoints receive tokens with a read-only user scopes
- Requests to `/api/admin/*` endpoints receive tokens with full admin scopes
This reduces security risk by preventing unnecessary privilege access and limiting the blast radius of compromised tokens.
```yaml
# User with read-only access scope
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: oauth2-users
spec:
type: middleware.http.oauth2
version: v1
metadata:
- name: clientId
value: "<your client ID>"
- name: clientSecret
value: "<your client secret>"
- name: scopes
value: "user:read profile:read"
- name: authURL
value: "https://accounts.google.com/o/oauth2/v2/auth"
- name: tokenURL
value: "https://accounts.google.com/o/oauth2/token"
- name: redirectURL
value: "http://myapp.com/callback"
- name: pathFilter
value: "^/api/users/.*"
---
# User with full admin access scope
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: oauth2-admin
spec:
type: middleware.http.oauth2
version: v1
metadata:
- name: clientId
value: "<your client ID>"
- name: clientSecret
value: "<your client secret>"
- name: scopes
value: "admin:read admin:write user:read user:write"
- name: authURL
value: "https://accounts.google.com/o/oauth2/v2/auth"
- name: tokenURL
value: "https://accounts.google.com/o/oauth2/token"
- name: redirectURL
value: "http://myapp.com/callback"
- name: pathFilter
value: "^/api/admin/.*"
```
## Related links ## Related links
- [Configure API authorization with OAuth]({{% ref oauth %}}) - [Configure API authorization with OAuth]({{% ref oauth %}})

60
daprdocs/content/en/reference/components-reference/supported-middleware/middleware-oauth2clientcredentials.md
View File

@ -30,6 +30,8 @@ spec:
value: "https://accounts.google.com/o/oauth2/token" value: "https://accounts.google.com/o/oauth2/token"
- name: headerName - name: headerName
value: "authorization" value: "authorization"
- name: pathFilter
value: ".*/users/.*"
``` ```
{{% alert title="Warning" color="warning" %}} {{% alert title="Warning" color="warning" %}}
@ -47,6 +49,7 @@ The above example uses secrets as plain strings. It is recommended to use a secr
| headerName | The authorization header name to forward to your application | `"authorization"` | headerName | The authorization header name to forward to your application | `"authorization"`
| endpointParamsQuery | Specifies additional parameters for requests to the token endpoint | `true` | endpointParamsQuery | Specifies additional parameters for requests to the token endpoint | `true`
| authStyle | Optionally specifies how the endpoint wants the client ID & client secret sent. See the table of possible values below | `0` | authStyle | Optionally specifies how the endpoint wants the client ID & client secret sent. See the table of possible values below | `0`
| pathFilter | Applies the middleware only to requests matching the given path pattern | `".*/users/.*"`
### Possible values for `authStyle` ### Possible values for `authStyle`
@ -72,6 +75,63 @@ spec:
type: middleware.http.oauth2clientcredentials type: middleware.http.oauth2clientcredentials
``` ```
## Request path filtering
The `pathFilter` field allows you to selectively apply OAuth2 authentication based on the HTTP request path using a regex pattern. This enables scenarios such as configuring multiple OAuth2 middlewares with different scopes for different API endpoints, implementing the least privilege principle by ensuring users only receive the minimum permissions necessary for their intended operation.
### Example: Separate read-only and admin user access
In the following configuration:
- Requests to `/api/users/*` endpoints receive tokens with a read-only user scopes
- Requests to `/api/admin/*` endpoints receive tokens with full admin scopes
This reduces security risk by preventing unnecessary privilege access and limiting the blast radius of compromised tokens.
```yaml
# User with read-only access scope
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: oauth2clientcredentials-users
spec:
type: middleware.http.oauth2clientcredentials
version: v1
metadata:
- name: clientId
value: "<your client ID>"
- name: clientSecret
value: "<your client secret>"
- name: scopes
value: "user:read profile:read"
- name: tokenURL
value: "https://accounts.google.com/o/oauth2/token"
- name: headerName
value: "authorization"
- name: pathFilter
value: "^/api/users/.*"
---
# User with full admin access scope
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: oauth2clientcredentials-admin
spec:
type: middleware.http.oauth2clientcredentials
version: v1
metadata:
- name: clientId
value: "<your client ID>"
- name: clientSecret
value: "<your client secret>"
- name: scopes
value: "admin:read admin:write user:read user:write"
- name: tokenURL
value: "https://accounts.google.com/o/oauth2/token"
- name: headerName
value: "authorization"
- name: pathFilter
value: "^/api/admin/.*"
```
## Related links ## Related links
- [Middleware]({{% ref middleware.md %}}) - [Middleware]({{% ref middleware.md %}})
- [Configuration concept]({{% ref configuration-concept.md %}}) - [Configuration concept]({{% ref configuration-concept.md %}})