About
A proxy authentication is when you are authorized to login (authenticate) in a software on behalf of an other.
This is known as:
- user impersonation
- or N-tier authentication.
Impersonation is a feature which permit to establish a session on behalf of a user without employing the user's credentials (password, …)
Example
HTTP Request
In Kubernetes, 1), they used the following HTTP request headers to perfor an impersonation request:
- Impersonate-User: The username to act as.
- Impersonate-Group: A group name to act as. Can be provided multiple times to set multiple groups. Optional. Requires “Impersonate-User”.
- Impersonate-Extra-( extra name ): A dynamic header used to associate extra fields with the user. Optional. Requires “Impersonate-User”. In order to be preserved consistently, ( extra name ) must be lower-case, and any characters which aren't legal in HTTP header labels MUST be utf8 and percent-encoded.
- Impersonate-Uid: A unique identifier that represents the user being impersonated. Optional. Requires “Impersonate-User”. Kubernetes does not impose any format requirements on this string.
If the user has the right to impersonate the Impersonate-User or the Impersonate-Group, it will be authenticated with them.
Example: impersonating a user with groups and extra fields
Impersonate-User: [email protected]
Impersonate-Group: developers
Impersonate-Group: admins
Impersonate-Extra-dn: cn=jane,ou=engineers,dc=example,dc=com
Impersonate-Extra-acme.com%2Fproject: some-project
Impersonate-Extra-scopes: view
Impersonate-Extra-scopes: development
Impersonate-Uid: 06f6ce97-e2c5-4ab8-7ba5-7654dd08d52b