Migration from Proxy-Authorization to using X-Gateway-Authorization header in 0.9.3-draft version

[techframewirk]

Problem Statement

Proxy-Authorization header is meant to be consumed by proxy. We should not use it for authenticating Gateway.

According to RFC 7235

The "Proxy-Authorization" header field allows the client to identify
itself (or its user) to a proxy that requires authentication.  Its
value consists of credentials containing the authentication
information of the client for the proxy and/or realm of the resource
being requested.

  Proxy-Authorization = credentials

Unlike Authorization, the Proxy-Authorization header field applies
only to the next inbound proxy that demanded authentication using the
Proxy-Authenticate field.  When multiple proxies are used in a chain,
the Proxy-Authorization header field is consumed by the first inbound
proxy that was expecting to receive credentials.  A proxy MAY relay
the credentials from the client request to the next proxy if that is
the mechanism by which the proxies cooperatively authenticate a given
request.

This means that the Proxy-Authorization header is only a single hop header and in architectures where multiple hops are involved (such as this one: client---> ALB---> Server), the Proxy-Authorization header is consumed by the ALB (Application Load Balancer) and will not be forwarded to the backend instance.

Solution

We can use custom header, such as X-Gateway-Authorization, instead which will be passed through as is to the application server.

This issue and solution proposal was raised by @NikithShetty and more information regarding the discussion and the PRs can be found in issue #119.

Since we have decided to move ahead with the changes proposing a migration strategy.

Migration strategy

Changes by BG

The BG will send both X-Gateway-Authorization as well as Proxy-Authorization header, till the migration cut off date.

Changes in BAP and BPP

After the changes in the BG, all references to Proxy-Authorization header will be changed to X-Gateway-Authorization. All participants will have till the migration cut off date to make the changes.

Migration period

During the migration period with BG will send both X-Gateway-Authorization as well as Proxy-Authorization header. All implementations using either will work. Once the migration cut off date reaches the network can ensure all network participants have made this change and post the cut off date the BG can remove Proxy-Authorization header permanently.

Migration cut off date

Every network should decide on a cut off date based on rough consensus from the participants post which the BG will not send the Proxy-Authorization header.