Pipelines

Authentication Stage: In that stage you can use any amount of authentication mechanisms, to let heimdall communicate with the actual authentication systems. This can be getting information about the authenticated subject of the request, getting key material to verify the authentication information provided in the request, or perform some other activities related to authentication. This stage is mandatory, which means, at least one authentication mechanism must be specified. If multiple are specified, the subsequent ones are only executed if the previous either fail or were not responsible for the authentication data available with the request.

Authorization Stage: In that stage you can make use of any amount of contextualization and authorization mechanisms in any order to fulfill your authorization requirements. Here, you let heimdall communicate with other systems to collect contextual information required for authorization purposes (like e.g. getting the country for the IP, the request came from, retrieving subscription status of your customer, etc), and to perform the actual authorization, e.g. by talking to an Open Policy Agent, OpenFGA, any other type of authorization system, or even let heimdall perform the required checks locally. That stage is optional and is only executed after the successful execution of the authentication stage. The mechanisms specified in it are executed in order of their definition.

Finalization Stage: In that stage, you can use any amount of finalization mechanisms to complete the pipeline execution and allows you transforming the information collected about the subject in the previous stages into a format expected or required by your upstream service, or even driving specific protocols, e.g. to obtain a token required by the upstream service. That stage is optional and is only executed after the successful execution of the previous stage. The mechanisms specified in it are executed in order of their definition.