feat(gateway): add support for authorization header authentication
This PR enables authentication using the Authorization header at the gateway level. Prior to that, the authentication was handled by browser cookies. This was not compatible with CLI tools and made external access to the PDP endpoint complicated.
The gateway now uses the following mechanism to authenticates the users:
- Look for an
Authorization
header in the user request, extract & validate the token.- If the token is valid, pass it to the proxied endpoint.
- If the token is not valid, return a
401 Unauthorized
error.
- If the request does not contain an
Authorization
header with a token, look for a cookie that contains the ID Token, extract & validate it.- If the token is valid, pass it to the proxied endpoint.
- If the token is not valid, redirect the user to the login page.
- If neither the header nor the cookie are found, redirect the user to the login page.
Edited by Martin Fontanet