stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Align policy simulation auth passthrough at the frontdoor

Browse Source
This commit is contained in:
master
2026-03-10 01:55:51 +02:00
parent d16d7a1692
commit 72084355a6
7 changed files with 109 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
docs/modules/router/architecture.md
View File

@@ -301,7 +301,8 @@ Request ─►│ ForwardedHeaders │
- Per-request tenant override is disabled by default and only works when explicitly enabled with `Gateway:Auth:EnableTenantOverride=true` and the requested tenant exists in `stellaops:allowed_tenants`.
- Authorization/DPoP passthrough is fail-closed:
- route must be configured with `PreserveAuthHeaders=true`, and
- route prefix must also be in the approved passthrough allow-list (`/connect`, `/console`, `/authority`, `/doctor`, `/api`).
- route prefix must also be in the approved passthrough allow-list configured under `Gateway:Auth:ApprovedAuthPassthroughPrefixes`.
- local frontdoor configs approve `/connect`, `/console`, `/authority`, `/doctor`, `/api`, `/policy/shadow`, and `/policy/simulations` so live policy compatibility endpoints can preserve DPoP/JWT passthrough without broadening unrelated routes.
- Tenant override attempts are logged with deterministic fields including route, actor, requested tenant, and resolved tenant.
### Connection State