Skip to content

[X.509] L7-Only Validation — Tier 3 (XFCC Forwarding) #895

New issue
New issue
Open
Open
[X.509] L7-Only Validation — Tier 3 (XFCC Forwarding)#895
Assignees
averevki
Labels
Test caseNew test caseenhancementImprovement to existing test
@averevki

Description

@averevki
averevki
opened on Mar 17, 2026

Summary

Test X.509 client certificate authentication via AuthPolicy with Tier 3 XFCC forwarding — no gateway-level TLS validation, Authorino is the sole certificate validator.

Setup

  • Gateway with forwardClientCertDetails: ALWAYS_FORWARD_ONLY annotation (no TLS client validation at gateway)
  • CA certificate Secret(s) with labels for Authorino validation
  • AuthPolicy with x509.source.header: "X-Forwarded-Client-Cert"
  • HTTPRoute bound to AuthPolicy

Tests

  • Client with valid certificate in XFCC header → 200 OK (validated by Authorino only)
  • Client without XFCC header → 401 Unauthorized
  • Client with certificate signed by wrong CA in XFCC header → 403 Forbidden (Authorino rejects)
  • Verify that gateway does NOT reject invalid certificates (they pass through to Authorino)

References

Metadata

Metadata

Assignees

Labels

Test caseNew test caseenhancementImprovement to existing test

Type

No type

Projects

Kuadrant QE

Status

🆕 New
Kuadrant

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions