authenticate: make service http only

- Rename SessionState to State to avoid stutter. - Simplified option validation to use a wrapper function for base64 secrets. - Removed authenticates grpc code. - Abstracted logic to load and validate a user's authenticate session. - Removed instances of url.Parse in favor of urlutil's version. - proxy: replaces grpc refresh logic with forced deadline advancement. - internal/sessions: remove rest store; parse authorize header as part of session store. - proxy: refactor request signer - sessions: remove extend deadline (fixes #294) - remove AuthenticateInternalAddr - remove AuthenticateInternalAddrString - omit type tag.Key from declaration of vars TagKey* it will be inferred from the right-hand side - remove compatibility package xerrors - use cloned http.DefaultTransport as base transport
2025-06-22 04:28:25 +02:00 · 2019-08-29 22:12:29 -07:00 · 2019-08-29 22:12:29 -07:00 · 380d314404
commit 380d314404
parent bc72d08ad4
53 changed files with 718 additions and 2280 deletions
--- a/docs/docs/quick-start/synology.md
+++ b/docs/docs/quick-start/synology.md
@ -176,7 +176,6 @@ Go to **Environment** tab.
 | SHARED_SECRET             | output of `head -c32 /dev/urandom | base64`                                              |
 | AUTHORIZE_SERVICE_URL     | `https://localhost`                                                                      |
 | AUTHENTICATE_SERVICE_URL  | `https://authenticate.int.nas.example`                                                   |
-| AUTHENTICATE_INTERNAL_URL | `https://localhost`                                                                      |

 For a detailed explanation, and additional options, please refer to the [configuration variable docs]. Also note, though not covered in this guide, settings can be made via a mounted configuration file.

--- a/docs/docs/reference/examples/docker/nginx.docker-compose.yml
+++ b/docs/docs/reference/examples/docker/nginx.docker-compose.yml
@ -48,7 +48,6 @@ services:
      - SERVICES=proxy
      # IMPORTANT! If you are running pomerium behind another ingress (loadbalancer/firewall/etc)
      # you must tell pomerium proxy how to communicate using an internal hostname for RPC
-      - AUTHENTICATE_INTERNAL_URL=https://pomerium-authenticate
      - AUTHORIZE_SERVICE_URL=https://pomerium-authorize
      # When communicating internally, rPC is going to get a name conflict expecting an external
      # facing certificate name (i.e. authenticate-service.local vs *.corp.example.com).
--- a/docs/docs/reference/examples/kubernetes/kubernetes-config.yaml
+++ b/docs/docs/reference/examples/kubernetes/kubernetes-config.yaml
@ -1,6 +1,5 @@
 # Main configuration flags : https://www.pomerium.io/reference/
 authenticate_service_url: https://authenticate.corp.beyondperimeter.com
-authenticate_internal_url: https://pomerium-authenticate-service.default.svc.cluster.local
 authorize_service_url: https://pomerium-authorize-service.default.svc.cluster.local

 override_certificate_name: "*.corp.beyondperimeter.com"
--- a/docs/docs/reference/reference.md
+++ b/docs/docs/reference/reference.md
@ -146,7 +146,7 @@ Timeouts set the global server timeouts. For route-specific timeouts, see [polic

 ## GRPC Options

-These settings control upstream connections to the Authorize and Authenticate services.
+These settings control upstream connections to the Authorize service.

 ### GRPC Client Timeout

@ -228,8 +228,8 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor

 | Config Key       | Description                                                       | Required |
 | :--------------- | :---------------------------------------------------------------- | -------- |
-| tracing_provider | The name of the tracing provider. (e.g. jaeger)                   | ✅       |
-| tracing_debug    | Will disable [sampling](https://opencensus.io/tracing/sampling/). | ❌       |
+| tracing_provider | The name of the tracing provider. (e.g. jaeger)                   | ✅        |
+| tracing_debug    | Will disable [sampling](https://opencensus.io/tracing/sampling/). | ❌        |

 ### Jaeger

@ -243,8 +243,8 @@ Each unit work is called a Span in a trace. Spans include metadata about the wor

 | Config Key                        | Description                                 | Required |
 | :-------------------------------- | :------------------------------------------ | -------- |
-| tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector.    | ✅       |
-| tracing_jaeger_agent_endpoint     | Send spans to jaeger-agent at this address. | ✅       |
+| tracing_jaeger_collector_endpoint | Url to the Jaeger HTTP Thrift collector.    | ✅        |
+| tracing_jaeger_agent_endpoint     | Send spans to jaeger-agent at this address. | ✅        |

 #### Example

@ -464,16 +464,6 @@ Signing key is the base64 encoded key used to sign outbound requests. For more i

 Authenticate Service URL is the externally accessible URL for the authenticate service.

-## Authenticate Internal Service URL
-
- Environmental Variable: `AUTHENTICATE_INTERNAL_URL`
- Config File Key: `authenticate_internal_url`
- Type: `URL`
- Optional
- Example: `https://pomerium-authenticate-service.default.svc.cluster.local`
-
-Authenticate Internal Service URL is the internally routed dns name of the authenticate service. This setting is typically used with load balancers that do not gRPC, thus allowing you to specify an internally accessible name.
-
 ## Authorize Service URL

 - Environmental Variable: `AUTHORIZE_SERVICE_URL`