The Host header for the outbound HTTP connection is being set with the inbound host name. This prevents usage of downstream applications that use the Host header for routing such as Azure web apps.
Need to set the Host header using the outgoing host name and port from RouterProxyClient on the first connection (ConnectNotifier) and for subsequent calls using a cached open connection.

networknt/light-4j#268

Response proper messages in error scenarios including:
Service discovery:
service id is missing in header
service id is provided but not configured (direct)
service is not found in consul
Security (SAML + JWT):
SAML or JWT is missing

networknt/light-4j#257

as the static SSL from Http2Client is inited lazily.

As we know, we have JwtVerifyHandlers in each individual frameworks and they are responsible for verifying the JWT token in the request header to authorize the request. As the security requirement is defined in the specifications and each framework has its own spec format, that is why we have several implementations.

When light-router is used to secure backend services, it is very hard to create a combined specification for the router instance especially when backend services are implemented in different frameworks. Given there are a lot of extra works to bring the spec to the router instance, we have to find a simpler way to enforce security on the light-router instance.

With the handler module introduced recently to support multiple chains in the same instance and all the endpoints are defined in the handler.yml config file. We can enhance the handler module to put the JWT token scope in the path/method definition in the handler.yml and pass the info to the subsequent JwtVerifyHandler to verify it. This enables security at light-router without specification and makes the light-router more flexible in terms of usage.

What do you think?

This issue is created for Jira ticket API-36.
It allows the client of the light-router to specify the service url where the requests should be forwarded to.
Another issue, #362 in light-4j is created to supported the service url header constant.

fix dependency to light-spa-4j, rather than light-4j

For some customers who want to send by-reference token to the Internet but use JWT internal, this handler can deref the opaque token to JWT token on the router in order to call internal APIs. As this is only an optional handler, it is just included into the dependencies but not wire into the middleware handler chain.

Provide router ability to handle error scenarios(currently only for authorization errors).
The router should get JWT when auth server has a success response.
The router should send a response to the client when the auth server response an error.
Related RFC doc https://github.com/networknt/light-rfcs/blob/master/light-router/0002-exception-handling-token-get-refactor.md

Use the local static variable instead of referring to another project.

The idea behind canary deployment (or rollout) is to introduce a new version of a service by first testing it using a small percentage of user traffic, and then if all goes well, increase, possibly gradually in increments, the percentage while simultaneously phasing out the old version. If anything goes wrong along the way, we abort and rollback to the previous version. In its simplest form, the traffic sent to the canary version is a randomly selected percentage of requests, but in more sophisticated schemes it can be based on the region, user, or other properties of the request.

For more info, please refer to https://istio.io/blog/2017/0.1-canary/

We need to serve the static content from the router instance and it would be easier to use handler.yml instead of PathProvider. The other benefit of hanlder.yml is the validate the path and method before routing the request to the downstream service. What do you think?

We have a defect that is fixed to consider the tag in the service cache in the discovery. The test case we are using here is using the direct registry which doesn't support the tag to be passed in.

networknt/light-4j#482

It seems like when a new service is removed from consul, the new client added to the router doesn't seem to reflect the changes properly.

I have a service which accepts POSTed JSON payloads which are parsed by BodyHandler. It has been stress tested with multiple concurrent processes which repeatedly upload the same payloads ranging in in size from 2.8K to 109K of test data and it is reliable after tens of thousands of iterations.

Adding a light-router (port 8080) in front of this, even with only a single instance of the service (port 2400) again works reliably for the smaller payloads of 2.8K. Slowly increasing the payload size and running the tight upload loop, we start getting 503 responses when we cross the 32K boundary.

Running the service in the IDEA debugger with a router in front of it we see that the BodyHandler fails to parse the payload and copying the string to a file and comparing with the original payload, we see that there is a chunk of just over 16K missing from the string being parsed compared to the payload that was sent.

Looking at the router code my initial suspicion is that the connection caching in RouterProxyClient is not thread safe and bad things start happening when the payload size exceeds the size of a buffer somewhere.

Some observations:

• The limits are a tad over 32K and the missing data is just over 16K in utf-8 encoded files with some amount of non-ascii text, so these problems might be happening on some text-buffer level rather than a byte-buffer level to get nice round powers of 2.
• The larger the payloads are, then more likely they are to fail.
• Adding a 1 second sleep between calls does not make the problem go away.

Making a stand-alone test case for this will be a bit tricky so I'm opening the issue without one before the week-end while it's fresh in my mind.

Junit test class created for SAMLTokenHandler(Jira API-22).

Support must be added to support the new SAML grant type OAuth flow.

A new handler, SAMLGrantHandler, will be added to support this OAuth flow.

Light Router must accept a JWT and a SAML token in it's header under the header keys assertion (for SAML) and client_assertion (for JWT).

It must then POST these tokens* to an OAuth authorization server (encoded as x-www-for-urlencoded) and receive a JWT in response, and then set this new Bearer {JWT} in its header under the Authorization key before service lookup and forwarding the request.

• • In addition to the two tokens, the authorization server expects the following additional values in x-www-form-urlencoded payload:

• grant_type: urn:ietf:params:oauth:grant-type:saml2-bearer
• scope: {blank separated list of OAuth scopes}*
• client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer

* Note that the scope key/value pair is optional.

When connecting to the debug docker container other than running locally, we might encounter a connection problem. By setting the address=*:5005, we allow the application running within the docker binding to any address. As long as the docker network is host, we can connect remotely.

Rollback the temp fix for #49
as the issue in the light-4j is resolved by networknt/light-4j#491

Currently, the incoming traffic can be HTTP/2 or HTTP/1.1 configurable but the outgoing traffic is hard-coded to HTTP/2 only. So far, we are OK as all of our downstream services are built on top of light-4j which support HTTP2 natively. When using the light-router with other downstream services, we need to provide an option to support HTTP/1.1 in the configuration.

(API 15)Cache the JWT when the request contains the previous SAML.

In order to allow light-router to discover services, the serviceId must be in the header of the client request. This is a little intrusive to the client so I have built the PathServiceHandler to allow mapping from the requesting endpoint to a serviceId and put into the request header automatically. It depends on the endpoint in the auditInfo attachment populated by the openapi-meta or swagger-meta from light-rest-4j.

There are two drawbacks.

• It assumes that the backend service is REST only.
• The backend service openapi.yaml/json or swagger.json must be deployed to the light-router instance. It might be OK if there is only one service behind the light-router but most of the cases, there are multiple services behind the light-router.

Given the inconvenience, @logi created PathPrefixServiceHandler which can determine the serviceId from the path prefix. This works in his use case very well and I am using it for some of our services. However, there is room to improve it after we have support handler.yml with multi-chains. The current implementation only considers the path prefix and cannot handler the following scenarios.

• If you have two services share the same prefix. For example, in CQRS, the read service and write service might have the same path but get and post methods.
• For some of the services that cannot be differentiated by just the prefix. We need to further parse into the path parameters.

Since we are parsing the path and method in the handler module, we can use the result to map to serviceId in this middleware handler. This gives us more flexibility and hides the logic from the original client. My suggestion is to create a new middleware handler and deprecate PathServiceHandler and PathPrefixServiceHandler but keep them for a while in case someone is using it. What do you think?

Normally, the client need to pass service_id and env_tag headers to the light-router in order to allow light-router to do the service discovery. However, if the downstream APIs have distinct endpoints and no common services like /health or /server/info are called. We can use this handler to derive the serviceId from the endpoint. The HeaderHandler can be used to set the env_tag as well so that client can just send the normal request based on the downstream APIs specification. If this is used, we need to have openapi.json specification on the router.

Currently the header is expected as client-assertion, which did not match expectation. Hopefully it's ok to have this changed to line up to our original requirements.

Need the real OAuth 2.0 provider to test it out.

(API 43) Use request scope when we create new jwt in light-router.

The mapping is static now.