Authorization middleware for third parties

[srijan55]

Hello. I wanted to find out if there are future plans to extend the auth middleware and associated settings for Cortex. Today it is only limited to add the fake auth middleware and is not exposed via settings or other ways for users to embed their own authorization. I envision that there could be a setting which takes may be a rest endpoint which cortex can call to ensure authN/authZ or there could be first party support for various clouds like AWS sigV4 and Microsoft AAD.

Eager to learn what is the vision and/or future plans in this direction.

[srijan55]

Friendly ping on this. Any directions thought in past, would be helpful for me to think more about this.

[pstibrany]

Hello. There are no plans to do more about auth in Cortex. Cortex uses simple model – it trusts X-Scope-OrgID header in API requests (see https://cortexmetrics.io/docs/guides/auth/). This simplicity makes it very powerful – you can use any authentication gateway in front of Cortex that suits your needs. There are some open-source ones (eg. https://github.com/rewe-digital/cortex-gateway/), while companies using Cortex internally often have private ones. You can write proxy with your preferred auth method using the same model.

“Fake” auth middleware exists to simplify local setup where no auth is required.

[srijan55]

Thanks for your reply. This seems like the best approach to choose in terms of the Single Responsibility Principle.

Additional question - We found that HTTPAuthMiddleware is public property in the API module's config and currently using it to add some special handling by overriding it with our own implementation of auth middleware. (Context: We are trying to use Cortex in frontend-only mode with our own prom-query engine). Do you think this is a reasonable approach for adding additional auth checks?