Security - (Proxy|N-tier|User Impersonation) authentication

About

A proxy authentication is when you are authorized to login (authenticate) in a software on behalf of an other.

This is known as:

• user impersonation
• or N-tier authentication.

Impersonation is a feature which permit to establish a session on behalf of a user without employing the user's credentials (password, …)

Example

HTTP Request

In Kubernetes, ¹⁾, they used the following HTTP request headers to perfor an impersonation request:

• Impersonate-User: The username to act as.
• Impersonate-Group: A group name to act as. Can be provided multiple times to set multiple groups. Optional. Requires “Impersonate-User”.
• Impersonate-Extra-( extra name ): A dynamic header used to associate extra fields with the user. Optional. Requires “Impersonate-User”. In order to be preserved consistently, ( extra name ) must be lower-case, and any characters which aren't legal in HTTP header labels MUST be utf8 and percent-encoded.
• Impersonate-Uid: A unique identifier that represents the user being impersonated. Optional. Requires “Impersonate-User”. Kubernetes does not impose any format requirements on this string.

If the user has the right to impersonate the Impersonate-User or the Impersonate-Group, it will be authenticated with them.

Example: impersonating a user with groups and extra fields

Impersonate-User: [email protected]
Impersonate-Group: developers
Impersonate-Group: admins
Impersonate-Extra-dn: cn=jane,ou=engineers,dc=example,dc=com
Impersonate-Extra-acme.com%2Fproject: some-project
Impersonate-Extra-scopes: view
Impersonate-Extra-scopes: development
Impersonate-Uid: 06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b