Skip to content

External authorization (ext_authz) filter #223

Description

@shaneutt

External authorization filter supporting gRPC and HTTP callout to an external auth service.

Requirements

  • gRPC callout to external auth service (Envoy ext_authz compatible)
  • HTTP callout mode as alternative
  • Fail-open and fail-closed modes (configurable, default fail-closed)
  • Caching of auth decisions with configurable TTL
  • Forward selected request headers to auth service
  • Inject auth response headers into upstream request
  • Timeout configuration with sensible defaults

Implementation Notes

  • Implement as HttpFilter under filter/src/builtins/http/security/
  • Connection pooling to auth service
  • Cache key derived from request attributes (configurable)

Parent epic: #12
Related: #14

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Fields

    No fields configured for Task.

    Projects

    Status
    Next

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions