API Authorization

Among the most common concerns when exposing APIs to external traffic is how to authenticate and authorize the consumers of those APIs. Auth solutions are also key in providing a source of identity to drive per-client policies such as rate limiting.

The Gloo Gateway already ships with an External Authorization Server to authenticate and authorize API calls. Istio, on the other hand, does not provide such a server out-of-the box; for this reason, when targeting the Istio Gateway, the Developer Portal deploys its own External Authorization Server.

Configuration of the ExtAuth Servers is performed automatically by the Developer Portal based on the configuration provided in the Usage Plans defined in each API Product.

When Usage Plans are enabled for an API Product, API client requests issued to that product will be authorized (or rejected) under a predefined Usage Plan. When a user is authorized to consume an API, the rate limiting policies defined in the associated Usage Plan are applied.