An open source Identity Aware Proxy and an Access Control Decision service for cloud native applications
Download Read the DocsAdopt Zero Trust architecture by authenticating, enriching and authorizing incoming HTTP requests at any level. No need to learn new protocols, authentication and authorization frameworks. Just how to glue them with heimdall.
Use declarative techniques you are already familiar with
apiVersion: heimdall.dadrus.github.com/v1alpha4
kind: RuleSet
metadata:
name: My awesome service
spec:
rules:
- id: my_api_rule
match:
routes:
- path: /api/**
scheme: http
hosts:
- type: exact
value: 127.0.0.1:9090
execute:
- authenticator: keycloak
- authorizer: opaCreate rules for each upstream and path you want to secure, respectively, which deviates from your defaults, loading them from a variety of sources such as Kubernetes custom resources, S3 buckets, any HTTPs endpoints or regular files.
By outsourcing authentication and authorization decisions to heimdall you can reduce the complexity of your code base, free resources and reduce the cognitive load of your team substantially.
Define logic to be executed if no rule matches
Use rules to compose reusable steps into the logic you need individually for your services
Dynamically enrich requests with information like e.g. user data to help you make authorization decisions and reduce dependencies in your code
Use Common Expression Language to implement complex pipeline execution logic and simple authorization within a pipeline
Use existing authorization systems, like OpenFGA, Ory Keto, Open Policy Agent and alike and combine them if required to get the best out of different worlds
Use existing authentication systems supporting OpenID Connect or OAuth2
Combine existing authentication systems to protect different areas of your system with different authentication systems. E.g. you can use one system to protect customer facing functionality and yet another for managing access to your backoffice specific functionality