In this mode you can integrate heimdall with existing reverse proxies, or API gateways (like Kong, NGNIX, Envoy, Traefik and much more)
Figure 1. Decision Deployment
In this mode heimdall can be integrated with most probably all modern API gateways and reverse proxies as a so-called "authentication middleware". Here the reverse proxy, respectively API gateway integrating with heimdall, will forward requests to heimdall by making use of its decision service endpoint for authentication and authorization purposes. As in the Reverse Proxy mode, heimdall will check if these requests match and satisfy the conditions defined in the available rules. If not, heimdall returns an error to its client (here API gateway/reverse proxy). If the rule execution was successful, it also responds to the API gateway/reverse proxy with 200 OK
(can be overridden if required) and sets headers/cookies, specified in the matched rule, which are then forwarded to the upstream service.
Example 1. Decision Service Example
Imagine following request hits heimdall (sent to it by an API gateway)
GET /my-service/api HTTP/1.1
Host: heimdall:4455
X-Forwarded-Host: my-backend-service
Some payload
And there is a rule, which allows anonymous requests and sets a header with subject id set to anonymous
like this
id: rule:my-service:anonymous-api-access
match:
routes:
- path: /my-service/api
scheme: http
hosts:
- type: exact
value: my-backend-service
methods:
- GET
execute:
- authenticator: anonymous-authn
- finalizer: id-header
Then heimdall will respond with:
HTTP/1.1 200 OK
X-User-ID: anonymous