External authorization filter supporting gRPC and HTTP callout to an external auth service.
Requirements
- gRPC callout to external auth service (Envoy ext_authz compatible)
- HTTP callout mode as alternative
- Fail-open and fail-closed modes (configurable, default fail-closed)
- Caching of auth decisions with configurable TTL
- Forward selected request headers to auth service
- Inject auth response headers into upstream request
- Timeout configuration with sensible defaults
Implementation Notes
- Implement as
HttpFilter under filter/src/builtins/http/security/
- Connection pooling to auth service
- Cache key derived from request attributes (configurable)
Parent epic: #12
Related: #14
External authorization filter supporting gRPC and HTTP callout to an external auth service.
Requirements
Implementation Notes
HttpFilterunderfilter/src/builtins/http/security/Parent epic: #12
Related: #14