Among the most common concerns when exposing APIs to external traffic is how to authenticate and authorize the consumers of those APIs. Auth solutions are also key in providing a source of identity to drive per-client policies such as rate limiting.
For this reason, the Istio Dev Portal comes bundled with an External Authorization Server which plugs directly into Istio to authenticate and authorize API calls made through Istio Gateways.
Configuration of the ExtAuth Server is performed automatically by the Dev Portal based on the configuration provided in the Usage Plans defined in each API Product.
When Usage Plans are enabled for an API Product, API client requests issued to that product will be authorized (or rejected) under a predefined Usage Plan. When a user is authorized to consume an API, the rate limiting policies defined in the associated Usage Plan are applied.