External Authorization

    The external authorization filter calls an external gRPC or HTTP service to check whether an incoming HTTP request is authorized or not. If the request is deemed unauthorized, then the request will be denied normally with 403 (Forbidden) response. Note that sending additional custom metadata from the authorization service to the upstream, to the downstream or to the authorization service is also possible. This is explained in more details at .

    The content of the requests that are passed to an authorization service is specified by CheckRequest.

    The HTTP filter, using a gRPC/HTTP service, can be configured as follows. You can see all the configuration options at .

    A sample filter configuration for a gRPC authorization server:

    2.   - name: ext-authz
    3.     type: static
    4.     typed_extension_protocol_options:
    5.       envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
    6.         "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
    7.         explicit_http_config:
    8.           http2_protocol_options: {}
    9.     load_assignment:
    10.       cluster_name: ext-authz
    11.       endpoints:
    12.         - endpoint:
    13.             address:
    14.               socket_address:
    15.                 address: 127.0.0.1
    16.                 port_value: 10003
    19.     # entire request.
    20.     connect_timeout: 0.25s

    Note

    One of the features of this filter is to send HTTP request body to the configured gRPC authorization server as part of the check request.

    A sample configuration is as follows:

    Please note that by default carries the HTTP request body as UTF-8 string and it fills the body field. To pack the request body as raw bytes, it is needed to set field to true. In effect to that, the raw_body field will be set and field will be empty.

    A sample filter configuration for a raw HTTP authorization server:

    1. http_filters:
    2.   - name: envoy.filters.http.ext_authz
    3.     typed_config:
    4.       "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
    5.       http_service:
    6.           server_uri:
    7.             uri: 127.0.0.1:10003
    8.             cluster: ext-authz
    9.             timeout: 0.25s
    10.             failure_mode_allow: false
    1. route_config:
    2.   name: local_route
    3.   virtual_hosts:
    5.     domains: ["*"]
    6.     typed_per_filter_config:
    7.       envoy.filters.http.ext_authz:
    8.         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
    9.         check_settings:
    10.           context_extensions:
    11.             virtual_host: local_service
    12.     routes:
    13.     - match: { prefix: "/static" }
    14.       route: { cluster: some_service }
    15.       typed_per_filter_config:
    16.         envoy.filters.http.ext_authz:
    17.           "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
    18.           disabled: true
    19.     - match: { prefix: "/" }

    The HTTP filter outputs statistics in the cluster.<route target cluster>.ext_authz. namespace.

    The External Authorization filter supports emitting dynamic metadata as an opaque google.protobuf.Struct.

    When using a gRPC authorization server, dynamic metadata will be emitted only when the CheckResponse contains a filled field.

    When using an HTTP authorization server, dynamic metadata will be emitted only when there are response headers from the authorization server that match the configured dynamic_metadata_from_headers, if set. For every response header that matches, the filter will emit dynamic metadata whose key is the name of the matched header and whose value is the value of the matched header.

    The fraction of requests for which the filter is enabled can be configured via the value of the filter_enabled field.